Anda di halaman 1dari 214

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-010

Your network includes one domain controller running Windows Server 2008. It is configured with an Active Directory-Integrated zone for stayandsleep.com. You have installed the Server Core installation on DC2 and promoted the server to a domain controller for the stayandsleep.com domain.

You need to configure DC2 to resolve names for computers in the stayandsleep.com domain.

What should you do?

1. Execute the following commands:

start /w ocsetup DNS-Server-Core-Role dnscmd /zoneadd stayandsleep.com /dsprimary <Correct>

2. Use Computer Manager to add the DNS Server role.

Use Server Manager to create an Active Directory-Integrated zone.

3. Execute the following commands:

dcpromo.exe /DNS-Server-Core-Role

dnscmd /zoneadd stayandsleep.com

4. Use Server Manager to add the DNS Server role.

Use DNS Manager to create an Active Directory-Integrated zone.

Explanation :

You should execute the following commands:

start /w ocsetup DNS-Server-Core-Role dnscmd /zoneadd stayandsleep.com /dsprimary

The Server Core installation must be managed from the command line. You use the ocsetup command to add roles to the server. You use the dnscmd command with the /zoneadd option to add a zone to the DNS server role. The /dsprimary option adds an Active Directory-Integrated zone.

You should not execute the following commands:

dcpromo.exe /DNS-Server-Core-Role dnscmd /zoneadd stayandsleep.com

The dcpromo.exe command launches the Active Directory Domain Controller Installation Wizard, which cannot be run on Server Core installations. The dcpromo command must be used with an unattended installation file on Server Core installations. The /DNS-Server-Core-Role option is not a valid option for the dcpromo.exe utility. Also, you must specify the /dsprimary option to create an Active Directory-Integrated zone.

You should not use Server Manager to add the DNS Server role and use DNS Manager to create an Active Directory-Integrated zone. Server Manager is used to manage roles, but only on a full installation of Windows Server 2008, not on a Server Core installation.

You should not use Computer Manager to add the DNS Server role and use Server Manager to create an Active Directory-Integrated zone. Computer Manager and Server Manager cannot be used on a Server Core installation.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure DNS server settings.

References :

Lesson 2: Configuring and Managing Server Core

Course 6415A

Server Core Installation Option of Windows Server 2008 Step-By-Step Guide Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/47a23a74-e13c-46de-8d30-ad0afb1eaffc103

3.mspx?mfr=true

Dnscmd Syntax Microsoft TechNet Link:

http://technet2.microsoft.com/WindowsServer/en/Library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-096

You have deployed Windows Server 2008 on all servers in the organization.

On one server, you install Active Directory Domain Services (AD DS), Active Directory Certificates Services (AD CS), Active Directory Federation Services (AD FS), and Active Directory Lightweight Directory Services (AD LDS).

You need to perform offline defragmentation of the Active Directory database on this computer.

What should you do before performing offline defragmentation?

1. Select the Always perform incremental backup radio button in the Optimize Backup Performance

window from the Windows Server Backup snap-in.

2. Perform disk cleanup from the Windows Server Backup snap-in.

3. Perform a system state backup from the Windows Server Backup snap-in.

<Correct>

4. Perform a differential backup from the Windows Server Backup snap-in.

Explanation :

You should perform a system state backup before starting offline defragmentation of the Active Directory database. In Windows Server 2008, you cannot perform a system state backup in the same manner as it was done in Windows Server 2003 or Windows Server 2000. In Windows Server 2008, you cannot back up only system state data; you must back up critical volumes, and then you can back up system state data. The critical volumes include:

* The system volume, which hosts the boot files

* The boot volume, which hosts the Windows operating system and registry

You do not need to perform disk cleanup. Disk cleanup removes temporary files, empties the Recycle Bin, and removes unnecessary files. You do not need to perform disk cleanup before executing offline defragmentation.

You should not select the Always perform incremental backup radio button. This will configure Windows Server Backup to perform an incremental backup each time a backup is performed. An incremental backup is a change-only backup that will only back up files that have changed since the backup of any type. It does not perform a full system state backup and is, therefore, not required before performing an offline defragmentation of the Active Directory database.

You need not perform a differential backup. A differential backup is a change-only backup that saves only those files that have changed since the last full backup. It does not perform a full system state backup.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Perform offline maintenance.

References :

Windows Server 2008 Restartable AD DS Step-by-Step Guide Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a68710103

3.mspx

What Are Restartable AD DS? Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-077

Your company's network consists of a single Active Directory domain. You install Active Directory Certificate Services (AD CS) on a Windows Server 2008 computer named Server1. You configure Server1 as a Certification Authority (CA) to issue certificates to all domain users for smart card logon.

You need to validate the real-time revocation status of certificates issued to all domain users. You need to keep cost to a minimum.

What should you do?

1. Use Online Certificate Status Protocol (OCSP) responses.

<Correct>

2. Use a Certification Revocation List (CRL).

3. Use a Delta Certification Revocation List (CRL).

4. Use an Online Responder array.

Explanation :

You should use OCSP responses. An Online Responder provides revocation status information for certificates issued by a single CA or multiple CAs. Certificate status responses from Online Responders are also referred to as OCSP responses. OCSP uses Hypertext Transfer Protocol (HTTP). It allows a relying party to submit a certificate status request to an OCSP responder. In addition to using OCSP responses, you can also use CRLs and delta CRLs to validate the revocation status of certificates. The recommended scenarios for using OCSP responses include:

* Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificate revocation checking

* Smart card logon

* Enterprise Secure/Multipurpose Internet Mail Extensions (S/MIME)

* Extensible Authentication Protocol (EAP)/TLS-based Virtual Private Network (VPN)

OCSP responders usually get their data from published CRLs and are therefore reliant on the publishing frequency of the CA. However, OCSP responders can be configured to receive data directly from the CA's certificate status database, which provides near real-time status. OCSP responders do not provide information about all certificates that have been revoked or suspended. This information is provided by a CRL.

You should not use a CRL or delta CRL. A CRL is a file that contains the serial numbers of certificates that have been issued by the CA and are revoked. A CRL also contains the revocation reason for each certificate and the time the certificate was revoked. There are two types of CRLs that you can create: base CRLs and delta CRLs. Base CRLs contain a complete list of revoked certificates, while delta CRLs list only those certificates that have been revoked since the last publication of a base CRL. CRLs are published according to a predefined period. Therefore, information in the CRL might be out of date until a new CRL or delta CRL is published.

You should not use an Online Responder array because this will not be viable for a single domain with a single CA. Using an Online Responder array will also incur more costs.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Install Active Directory Certificate Services.

References :

Installing, Configuring, and Troubleshooting the Microsoft Online Responder Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/045d2a97-1bff-43bd-8dea-f2df7e270e1f103

3.mspx?mfr=true

AD CS: Online Certificate Status Protocol Support Windows Server 2008 Technical Library

Link:

http://technet2.microsoft.com/windowsserver2008/en/library/99d1f392-6bcd-4ccf-94ee-640fc100ba5f103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-023

You are planning an Active Directory forest that will span three sites: New York, Miami, and Denver. The forest will have three domains: a root domain, DomA, and DomB. A domain controller for each domain is located in Miami. A read-only domain controller (RODC) for DomA is located in New York. An RODC for DomB is located in Denver. Most of the users in DomB are located in the Denver office. The users in DomA are split evenly between Miami and New York.

You need to optimize the placement of the Primary Domain Controller (PDC) Emulator role.

What should you do?

1. Configure the root domain's domain controller in Miami, the domain controller in New York,

and the domain controller in Denver with the PDC Emulator role.

2. Configure the domain controller in New York and the domain controller in Denver with the PDC

Emulator role.

3. Configure all three domain controllers in Miami with the PDC Emulator role. <Correct>

4. Configure only the domain controller in the root domain with the PDC Emulator role.

Explanation :

You should configure all three domain controllers in Miami with the PDC Emulator role. The PDC Emulator role is a domain-wide role. Therefore a domain controller in each domain should hold it. You should generally position the PDC Emulator role as close to the users in the domain as possible. However, in this case the domain controllers in New York and Denver are RODCs. An RODC cannot hold an operations master role.

You should not configure only the domain controller in the root domain with the PDC Emulator role. The PDC Emulator role is a domain-wide role, so it should be held by one domain controller in each domain.

You should not configure the domain controller in New York and the domain controller in Denver with the PDC Emulator role. The domain controllers in New York and Denver are RODCs, so they cannot hold an operations master role.

You should not configure the root domain's domain controller in Miami, the domain controller in New York, and the domain controller in Denver with the PDC Emulator role. The domain controllers in New York and Denver are RODCs, so they cannot hold an operations master role.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure operations masters.

Planning Operations Master Role Placement Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e2616396-12e6-4bad-a081-f94c03288710103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-093

You have deployed Windows Server 2008 on all servers in the organization. You have recently performed a full backup on a Windows Server 2008 server which has the Web Server role installed on it.

You need to recover a folder from the full backup because that folder is not accessible any longer due to some software corruption.

Which command should you use?

1. Wbadmin start recovery -notrestoreacl

2. Wbadmin start recovery -skipbadclustercheck

3. Wbadmin start recovery -itemtype:File

<Correct>

4. Wbadmin start recovery -recursive

Explanation :

You should run the Wbadmin start recovery -itemtype:File command to run a recovery of the specified folder. Wbadmin allows you to back up and restore your computer, volumes, and files and folders from the command prompt. The Wbadmin command has replaced the Ntbackup command that was used in earlier versions of Windows. The Wbadmin command applies only to Windows Server 2008.

You should not use the Wbadmin start recovery -recursive command. This parameter is not valid when recovering folders by using Wbadmin. This parameter is valid only to recover files.

You should not use the Wbadmin start recovery -notrestoreacl command. The -notrestoreacl parameter is not valid for recovering folders by using Wbadmin. This parameter is valid only when recovering files. The -notrestoreacl parameter specifies to not restore the security access control lists (ACLs) of the files that are being recovered from the backup.

You should not use the Wbadmin start recovery -skipbadclustercheck command. The -skipbadclustercheck parameter is not valid for recovering folders by using Wbadmin. This parameter is valid only when recovering volumes. The -skipbadclustercheck parameter will skip checking your recovery destination disks for bad cluster information when restoring volumes.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Configure backup and recovery.

References :

Wbadmin start recovery Microsoft TechNet Link:

http://technet2.microsoft.com/WindowsServer2008/en/library/52381316-a0fa-459f-b6a6-01e31fb21612103

3.mspx

The Process of Recovering AD DC Data Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-081

You have deployed Windows Server 2008 on all servers in your company's Active Directory domain. Your organization has a single forest and a single Active Directory domain. You recently installed Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. You plan to install Active Directory Federation Services (AD FS) to use with AD CS.

You need to ensure that AD FS can provide security tokens to client applications in response to requests for access to the resources.

Which role service should you configure while installing AD FS?

1. Federation Service Proxy

2. Federation Service

<Correct>

3. Claims-aware Agent

4. Windows Token-based Agent

Explanation :

You should install the Federation Service to provide security tokens to client applications in response to requests for access to the resources. The Federation Service routes authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.

You should not use the Claims-aware Agent to provide security tokens to client applications in response to requests for access to the resources. The Claims-aware Agent provides federated access control for applications that use the claims directory for authentication. A claims-aware application is a Microsoft ASP.NET application that uses claims in an AD FS security token to make authorization decisions and personalize applications.

You should not use the Windows Token-based Agent to provide security tokens to client applications in response to requests for access to the resources. The Windows Token-based Agent provides federated access control for Windows applications that use traditional Windows token-based authentication. The Windows Token-based Agent hosts a Windows NT token-based application to convert an AD FS security token into an impersonation-level, Windows NT access token.

You should not use Federation Service Proxy to provide security tokens to client applications in response to requests for access to the resources. The Federation Service Proxy collects user credentials from browsers and Web applications and forwards the credentials to the federation service. The Federation Service Proxy uses WS-Federation Passive Requestor Profile (WS-F PRP) protocols to collect user credential information from browser clients.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Federation Services (AD FS).

Active Directory Federation Services Overview Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d3103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-009

Your network has three Active Directory domains in a single site: stayandsleep.com, dev.stayandsleep.com, and sales.stayandsleep.com. Each domain has four domain controllers, all running Windows Server 2008. Each domain controller is configured with an Active Directory-Integrated zone for its own domain. A Domain Name System (DNS) server named DNS-Ext is located on the perimeter network. DNS-Ext is configured as a caching only DNS server.

You need to enable clients in the child domains to resolve the names of servers in the parent domain. Your solution should limit the domain controllers' exposure to the Internet.

What should you do? (Each correct answer presents part of the solution. Choose two.)

1. Modify the root hints for all internal DNS servers to contain only DNS servers in the

stayandsleep.com domain.

<Correct>

2. Add all internal DNS servers as forwarders on DNS-Ext.

3. Modify the root hints for all internal DNS servers to contain only DNS-Ext.

4. Configure DNS-Ext as a forwarder for all internal DNS servers.

<Correct>

5. Modify the root hints for DNS-Ext to contain the DNS servers on the internal network.

Explanation :

You should configure DNS-Ext as a forwarder for all internal DNS servers. Configuring DNS-Ext as

a forwarder for all internal DNS servers will allow them to send recursive queries to DNS-Ext, which DNS-Ext will resolve by contacting Internet root servers.

You should also modify the root hints for all internal DNS servers to contain only DNS servers in

the stayandsleep.com domain. A DNS server will use root hints to resolve name resolution requests

if it cannot resolve them and if it is not configured with a forwarder or if the forwarder cannot

resolve the name. By removing the Internet DNS servers from root hints and replacing them with the DNS servers in the stayandsleep.com domain, you can prevent the DNS servers from sending requests to the Internet root servers, while still enabling clients in the child domains to resolve the names of servers in the parent domain.

You should not modify the root hints for DNS-Ext to contain the DNS servers on the internal network. DNS-Ext should not contact the internal DNS servers to provide name resolution. It should only resolve names for Internet servers.

You should not add all internal DNS servers as forwarders on DNS-Ext. You add the server to which the DNS server should forward requests as a forwarder, not the other way around.

You should not modify the root hints for all internal DNS servers to contain only DNS-Ext. You should configure DNS-Ext as a forwarder. If you modify root hints to contain only DNS-Ext, users will only be able to resolve the names of resources in their domain or on the Internet.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure DNS server settings.

References :

Securing the DNS Server Service Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/9f93a319-4e77-4c17-ad4a-10e3ea9847f1103

3.mspx?mfr=true

Understanding Forwarders Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/52ec32f6-5eda-4d6a-8e38-809fee243b71103

3.mspx?mfr=true

Using Forwarders Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e2dd91d6-441f-4175-9d1d-d152d148d73c103

3.mspx?mfr=true

Updating Root Hints Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/WindowsServer2008/en/library/7fc91f3b-c926-4dd7-a9f5-8d140d261a14103

3.mspx

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-036

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. The network currently has only a single site. The company is preparing to open a branch office.

You must ensure that administrators at the branch office can create, modify, and delete user accounts only for employees at the branch office. Administrators must be able to manage user accounts even if the link to the corporate office is unavailable.

What should you do?

1. Install a read-only domain controller (RODC) at the branch office.

Create a global group named BranchAdmins. Create domain local group named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

2. Install a read-only domain controller (RODC) at the branch office.

Create a global group named BranchAdmins. Create an organizational unit (OU) named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

3. Install a standard domain controller at the branch office.

Create a global group named BranchAdmins. Create an organizational unit (OU) named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. <Correct>

4. Install a standard domain controller at the branch office.

Create a global group named BranchAdmins. Create a domain local group named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

Explanation :

You should perform the following steps:

* Install a standard domain controller at the branch office.

* Create a global group named BranchAdmins.

* Create an OU named BranchUsers.

* Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

You should install a standard domain controller at the branch office to allow administrators there to log on to it and manage accounts even if the link to the corporate office is unavailable. You should create an OU named BranchUsers and use the Delegation of Control Wizard to delegate the Create, delete, and manage user accounts task to the BranchAdmins global group. You must delegate the permission to manage user accounts on the OU that will contain those user accounts.

You should not install an RODC at the branch office. An RODC cannot be used to make changes to user accounts. Therefore, administrators at the branch office would not be able to manage user accounts if the link to the corporate office was unavailable.

You should not create a domain local group named BranchUsers. You cannot delegate control to manage user accounts by delegating control for a group to which the accounts will belong. You must delegate control for the OU that will contain the user accounts to be managed.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Maintain Active Directory accounts.

References :

Creating an Organization Unit Design Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/04f9603d-b4a8-4a33-af4a-257aca2f3279103

3.mspx?mfr=true

Delegating Administration by Using OU Objects Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/2ddcbce2-cbc2-48f7-a732-0caf4effef9f103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-086

Your company has a main office and a branch office. You install Windows Server 2008 on all

servers on the network. You install a domain controller named DC1 in the main office and a Read-Only Domain Controller (RODC) named RODC1 in the branch office. The offices are connected by

a 128-Kbps link.

A user named Paul travels frequently to the branch office and requires access to the branch

office network. You want to ensure that Paul is able to log on to the network in the branch

office even if the Wide Area Network (WAN) link to DC1 is unavailable.

Which actions should you perform? (Each correct answer presents part of the solution. Choose two.)

1. Add Paul's user account to the Accounts that have been authenticated to this Read-only Domain

Controller list in the Advanced Password Replication Policy dialog box for RODC1.

2. Prepopulate the password cache of RODC1 with the password of Paul's user account.

<Correct>

3. Add Paul's user account with the Deny setting to the Password Replication Policy tab in the

properties dialog box for RODC1.

4. Add Paul's user account to the Accounts whose passwords are stored on this Read-only Domain

Controller list in the Advanced Password Replication Policy dialog box for RODC1.

5. Add Paul's user account with the Allow setting to the Password Replication Policy tab in the

properties dialog box for RODC1.

<Correct>

Explanation :

You should add Paul's user account with the Allow setting to the Password Replication Policy tab

in the properties dialog box for RODC1 and prepopulate the password cache of RODC1 with the

password of Paul's user account. An RODC hosts read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, except for account passwords. Prepopulating the RODC password cache allows the RODC to store the passwords for users and computers before they try to log on in the branch office. Prepopulating the password cache is helpful when you want to ensure that a user is able to log on to the network in a branch office even if the WAN link to the writable domain controller is unavailable. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.

You should not add Paul's user account with the Deny setting to the Password Replication Policy tab in the properties dialog box for RODC1. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. Therefore, you should add Paul's user account with the Allow setting to the Password Replication Policy tab in the properties dialog box for RODC1.

You should not add Paul's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts that have been authenticated to this Read-only Domain Controller list displays all user and computer accounts that are authenticated to an RODC. You cannot manually add a user or a computer account to the Accounts that have been authenticated to this Read-only Domain Controller list.

You should not add Paul's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts whose passwords are stored on this Read-only Domain Controller list displays all user or computer accounts whose passwords are stored on that RODC. You cannot manually add a user or a computer account to the Accounts whose passwords are stored on this Read-only Domain Controller list.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure the read-only domain controller (RODC).

References :

Step-by-Step Guide for Read-Only Domain Controller in Windows Server 2008 Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db7103

3.mspx?mfr=true

Password Replication Policy Administration Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/1ec4c1ac-5768-4b53-9271-1948b8e8816f103

3.mspx?mfr=true

Options for Configuring Password Replication Policies Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-082

You have deployed Windows Server 2008 on all servers in the organization. You want to implement security for digital information which is in the form of user data and e-mail messages.

You plan to install the Active Directory Rights Management Services (AD RMS) server role by using the Server Manager on a computer running Windows Server 2008.

Which other roles must also be installed on the server? (Choose two.)

1.

Web Server (IIS)

<Correct>

2. Windows Process Activation Service (WPAS)

<Correct>

3. Network Policy and Access Services

4. Application Server

5. File Services

Explanation :

The WPAS and Web Server (IIS) roles are required to install AD RMS on a computer running Windows Server 2008. When configuring AD RMS, you must ensure that Web Server (IIS), WPAS, and Message Queuing are listed on the Role Services page. AD RMS works with AD RMS-enabled applications to secure sensitive and confidential information. AD RMS uses WPAS to manage the activation and lifetime of applications invoked remotely over the network.

The Application Server role is not required when installing the AD RMS server role on a computer running Windows Server 2008. Application Server provides an environment for deploying and running custom business applications. It is not required for installing the AD RMS server role.

The Network Policy and Access Services role is not required when installing the AD RMS server role on a computer running Windows Server 2008. The Network Policy and Access Services role provides network connectivity solutions. This server role helps with routing local area network (LAN) and wide area network (WAN) traffic, creating and enforcing network access policies, and accessing network resources over virtual private network (VPN) and dial-up connections. This server role is not required to install the AD RMS server role.

You do not require the File Services role to install the AD RMS server role on a computer running Windows Serve 2008. The File Services role provides technology for storage management, file replication, and streamlined client access to files.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Rights Management Service (AD RMS).

References :

Step 2: Installing and Configuring AD RMS on ADRMS-SRV Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/2d55f53f-8a4a-4dcd-886b-944cb4aa7cb4103

3.mspx

What Are Server Roles? Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-059

You are configuring your network as a single Active Directory domain. The domain will include three sites, each with three to five remote offices. Each office has a maximum of 70 users. You plan to place two domain controllers in each office. All wide area links are full-time links.

You need to determine global catalog placement for your network. Your solution must meet the following criteria:

* Optimize searches for domain resources.

* Optimize logon and authentication.

* Minimize replication traffic.

* Minimize CPU and disk resource requirements on domain controllers.

* Minimize management overhead.

* Provide fault tolerance.

Except for the main office, all domain controllers will be deployed on computers running a Server Core installation of Microsoft Windows Server 2008. There will be one writable domain controller in each site. The remaining domain controllers will be read-only domain controllers (RODCs). The forest root domain controller will be physically located in the main office.

What should you do?

1. Configure each writable domain controller as a global catalog.

2. Configure the forest root domain controller as the only global catalog.

3. Configure one domain controller in each office as a global catalog.

4. Configure all domain controllers as global catalogs. <Correct>

Explanation :

You should configure all domain controllers as global catalogs. This is the configuration recommended by Microsoft when supporting a single-domain Active Directory. This does not increase the resource requirements because, in a single-domain Active Directory, every domain controller stores the domain directory partition. Because the global catalog is maintained locally on each domain controller, domain operations are optimized and the second domain controller in each office provides fault tolerance. None of the other configurations provide local fault tolerance.

You should not limit global catalog servers to the forest root only. This places an additional load on the forest root and network infrastructure and could lead to less than optimum performance.

You should not make just the writable domain controllers or just one domain controller in each office a global catalog. This does not provide local fault tolerance and might not provide as good performance.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure the global catalog.

References :

Planning Global Catalog Server Placement Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/d59c8afc-9781-442e-8421-ee549a696665103

3.mspx?mfr=true

What's New in AD DS Installation and Removal Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e5bf22f7-f617-4820-a6d0-6271e3b80fe4103

Global catalogs and sites Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/0e74916d-28d7-4cdd-8dce-89c824622fcd1033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-058

Your company's network is configured as a single Active Directory domain with three sites:

Chicago, New York, and Atlanta. Your company is planning to implement smart card authentication. The smart card issuing plan must meet the following requirements:

* Members of the Help Desk department at each location must be able to issue smart card

certificates.

* Members of the Help Desk department must be able to issue smart card certificates only for users at their own location.

You create HelpDeskNY, HelpDeskAtl, HelpDeskChi global groups.

You need to configure the CA to meet the smart card enrollment requirements.

What should you do? (Each correct answer presents part of the solution. Choose three.)

1. Issue an Enrollment Agent certificate to each member of the Help Desk department.

<Correct>

2. Create a Smart Card Logon certificate template for each location. Grant HelpDeskNY,

HelpDeskAtl, and HelpDeskChi the Read and Enroll permission on only the appropriate Smart Card

Logon certificate template.

3. Create UsersNY, UsersAtl, and UsersChi global groups.

<Correct>

4. Create an Enrollment Agent certificate template for each location. Grant UsersNY, UsersAtl,

and UsersChi the Read permission on only the appropriate Enrollment Agent certificate template.

5. Enable Restricted enrollment agents. Associate the HelpDeskxx global group for each location

with the Usersxx global group for each location. <Correct>

Explanation :

You should perform the following steps:

* Create UsersNY, UsersAtl, and UsersChi global groups.

* Issue an Enrollment Agent certificate to each member of the Help Desk department.

* Enable Restricted enrollment agents.

* Associate the HelpDeskxx global group for each location with the Usersxx global group for each location.

Windows Server 2008 supports restricted enrollment agents. You can create a security group

containing enrollment agents who are allowed to enroll for a Smart Card certificate on behalf of

a specific group of users and associate that group with the security group containing those user accounts.

You should not perform the following steps:

* Create an Enrollment Agent certificate template for each location.

* Grant UsersNY, UsersAtl, and UsersChi the Read permission on only the appropriate Enrollment Agent certificate template.

You cannot limit which users an enrollment agent can enroll for a smart card certificate on behalf of by granting permission on the Enrollment Agent certificate template. Granting users Read permission on a certificate template allows a user to view the certificate template. It does not limit whether a person with a certificate based on that template can enroll on behalf of the users.

You should not perform the following steps:

* Create a Smart Card Logon certificate template for each location.

* Grant HelpDeskNY, HelpDeskAtl, and HelpDeskChi the Read and Enroll permission on only the appropriate Smart Card Logon certificate template.

You cannot limit which users an enrollment agent can enroll for a smart card certificate on behalf of by granting creating different Smart Card Logon certificates and granting permission to them based on location. An enrollment agent could use the Smart Card Logon certificate to enroll

any user.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Manage enrollments.

References :

Active Directory Certificate Server Enhancements in Windows Server Code Name "Longhorn" Microsoft Downloads Link:

http://www.microsoft.com/downloads/details.aspx?familyid=9bf17231-d832-4ff9-8fb8-0539ba21ab95&disp

laylang=en

AD CS: Restricted Enrollment Agent Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/56d66319-2e49-447b-92a3-1ca2a674fb8d103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-087

Your organization has a single forest and a single Active Directory domain. You have deployed Windows Server 2008 on all servers in the organization.

Your organization wants to ensure that Windows Server 2008 provides customizable services for creating and managing public key certificates. You plan to install Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008 that cannot use Directory Service data to issue or manage certificates.

What should you do while installing AD CS?

1. Select the Enterprise option on the Specify Setup Type page in the Add Roles Wizard.

2. Clear the Certification Authority checkbox on the Select Role Services page in the Add Roles

Wizard.

3. Select the recommended option on the Specify Setup Type page in the Add Roles Wizard.

4. Select the Standalone option on the Specify Setup Type page in the Add Roles Wizard.

<Correct>

Explanation :

You should select the Standalone option on the Specify Setup Type page in the Add Roles Wizard when installing AD CS. As mentioned in the scenario, the computer running Windows Server 2008 cannot use Directory Service data to issue or manage certificates, and the Standalone option should be selected if the certification authority (CA) does not use Directory Service data to issue or manage certificates.

You should not select the recommended option. The Enterprise option is the recommended option on the Specify Setup Type page. This option should be selected if the CA is a member of a domain and can use Directory Service data to issue and manage certificates.

You should not select the Enterprise option. The Enterprise option should be selected if the CA is a member of a domain and can use Directory Service data to issue and manage certificates. As mentioned in the scenario, this server cannot use Directory Service data to issue or manage certificates. Therefore, you cannot select the Enterprise option.

You should not clear the Certification Authority checkbox on the Select Role Services page. The Certification Authority issues and manages certificates for users, computers and organization. Therefore, you must select a CA when configuring Role services while installing AD CS.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Install Active Directory Certificate Services.

References :

Windows Server Active Directory Certificate Services Step-by-Step Guide Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6f-a801-ae6a87fd174c103

3.mspx?mfr=true

How To Install Server Roles and Server Features Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-048

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. A portion of the organizational unit (OU) hierarchy is shown in the exhibit.

You need to deploy Microsoft Office 2007 to all members of the Sales department.

What should you do?

1. Create a Group Policy object (GPO) that assigns the application. Link it to

SalesComputers.

<Correct>

2. Create a Group Policy object (GPO) that publishes the application. Link it to SalesComputers.

3. Create a Group Policy object (GPO) that publishes the application. Link it to SalesUsers.

4. Create a Group Policy object (GPO) that assigns the application. Link it to SalesUsers.

Explanation :

You should create a GPO that assigns the application and link it to SalesComputers. Office 2007 cannot be assigned or published to a user. It must be assigned to a computer. Therefore, you must identify the package and assign it using the Software Installation policy in Computer Configuration. You must link it to the OU that contains the computers.

You should not create a GPO that assigns the application and link it to SalesUsers. Office 2007 can only be assigned to computers.

You should not create a GPO that publishes the application and link it to SalesComputers. You cannot publish applications to a computer. You can only publish applications to a user. However, Office 2007 cannot be published to a user.

You should not create a GPO that publishes the application and link it to SalesUsers. You cannot publish Office 2007 to a user.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Configure software deployment GPOs.

Use Group Policy Software Installation to deploy the 2007 Office system Microsoft TechNet Link:

http://technet2.microsoft.com/Office/en-us/library/efd0ee45-9605-42d3-9798-3b698fff3e081033.mspx?m

fr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-026

You need to install two Active Directory Lightweight Directory Services (AD LDS) instances on a computer running a full installation of Microsoft Windows Server 2008.

What should you do first?

1. Run Ocsetup.

2. Run Dcpromo.

3. Run Active Directory Lightweight Directory Services Setup Wizard.

4. Run Server Manager.

<Correct>

Explanation :

You should run Server Manager. Server Manager is a general-purpose management utility. You can use Server Manager on a server running Windows Server 2008 to add or remove roles, including AD LDS. Before you can install AD LDS instances, you must use Server Manager to install the AD LDS role. Role prerequisites will be installed at the same time.

You should not run Active Directory Lightweight Directory Services Setup Wizard first. You use the Wizard to install AD LDS instances after you have installed the AD LDS role.

You should not run Dcpromo. Dcpromo is used to promote a computer to an Active Directory Domain Services (AD DS) domain controller. It can also be used to demote a domain controller. It is not used to manage AD LDS instances. You must use install the AD DS role before you promote the computer to domain controller.

You should not run Ocsetup. Ocsetup is used to install roles on a Windows Server 2008 Server Core installation. Ocsetup is supported for Server Core installations only.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Lightweight Directory Service (AD LDS).

References :

Step-by-Step Guide for Getting Started with Active Directory Lightweight Directory Services Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/141900a7-445c-4bd3-9ce3-5ff53d70d10a103

3.mspx?mfr=true

Step 1: Install the AD LDS Server Role Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/682674f4-a652-4772-8567-2f27417f4ec8103

3.mspx?mfr=true

Step 2: Practice Working with AD LDS Instances Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/27c4ac30-1058-4d9e-99fe-f0cd33eb2150103

3.mspx?mfr=true

How To Install Server Roles and Server Features Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-096

Your organization's network contains five servers running Windows Server 2008 in an organizational unit named WinServers. All five servers are part of the company's domain. You notice that some unauthorized network connection attempts have been made to connect to all five servers.

You want to track down all network connection events across the five servers in the WinServers organizational unit. You create a new Group Policy object (GPO).

What should you do next?

1. Activate the Audit logon events policy and link the GPO to the WinServers organizational

unit.

<Correct>

2. Activate the Audit account logon events policy and link the GPO to the WinServers

organizational unit.

3. Activate the Audit process tracking policy and link the GPO to the WinServers organizational

unit.

4. Activate the Audit object access policy and link the GPO to the WinServers organizational unit.

Explanation :

You should activate the Audit logon events policy. An Audit logon events policy audits each event related to a user logging on, logging off, or making a network connection. The events in this level of audit are logged when a user logs on to a computer interactively or from the network by using a domain user account. Once you configure the Audit policy, you can link the GPO to the appropriate organizational unit. In this scenario, the servers are located in the WinServers organizational unit. Therefore, you should link the GPO to the WinServers organizational unit.

You should not activate the Audit process tracking policy and link the GPO to the WinServers organizational unit. The Audit process tracking policy audits events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access.

You should not activate the Audit object access policy and link the GPO to the WinServers organizational unit. The Audit object access policy audits user attempts to access an object.

You should not activate the Audit account logon events policy and link the GPO to the WinServers organizational unit. The Audit account logon events policy audits each time a user logs on or off the domain.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Configure audit policy by using GPOs.

References :

Audit logon events Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.ms

px?mfr=true

HOW TO: Audit Active Directory Objects in Windows Server 2003 Microsoft Help and Support Link: http://support.microsoft.com/kb/814595

Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a5103

How To Audit Changes to Domain Services Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-017

Your company has recently upgraded all servers to Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. Computers are members of the MedDev forest.

To comply with the company's security regulations, you have implemented a Certificate Authority (CA) and several root Subordinate CAs.

The company has recently sold one of its divisions. The division had a subordinate CA to issue certificates to computers and users.

You need to ensure that the rest of the CAs on your network no longer accept certificates issued by the former division's CA. You want to accomplish this with the least amount of administrative effort.

What should you do?

1. Revoke the certificates issued by the division's subordinate CA. Publish the Certificate

Revocation List (CRL).

2. Revoke the certificates issued by the division's subordinate CA, and then revoke the

certificate issued to the division's subordinate CA. Publish the Certificate Revocation List (CRL).

3. Revoke the certificate issued to the division's subordinate CA. Publish the Certificate

Revocation List (CRL). <Correct>

4. Revoke the certificate of the enterprise root CA. Publish the Certificate Revocation List

(CRL).

Explanation :

You should revoke the certificate issued to the division's subordinate CA. This procedure is performed on the enterprise CA. Once the certificate issued to the division's subordinate CA is revoked, the certificates it has issued will no longer be accepted by other CAs. Once the certificate has been revoked, the Certificate Revocation List should be published.

You should not revoke all the certificates that have been issued by the division's subordinate CA. Although other CAs will no longer accept the certificates once they are revoked, the solution would require too much administrative effort.

You should not revoke the certificate of the enterprise root CA. This solution would decommission the entire infrastructure. Once the enterprise root CA certificate is revoked, no other certificates issued by the CA are valid.

You should not revoke the certificates issued by the division's subordinate CA and then revoke the certificate issued to the division's subordinate CA. Revoking the certificates issued by the CA is not necessary if you revoke the CAs certificate. This solution requires too much administrative effort.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Manage certificate revocations.

References :

Active Directory Certificate Services Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/c8955f83-fed9-4a18-80ea-31e865435f73103

3.mspx?mfr=true

Manage Certificate Revocation Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/5531ecb5-3073-490f-80f9-5d263e60b07a103

3.mspx?mfr=true

Configuring Certificate Revocation Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083-8606-c0a4fdca9a25103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-094

Your company's network is configured with one Windows Server 2008 server. The network also contains 200 Windows Vista client computers installed in various departments. You create a separate organizational unit for each department and place the client computers in each department in its respective organizational unit.

You install new software on all computers in the sales department, which are located in an organizational unit named SalesPC. The user accounts for all users in the sales department are located in an organizational unit named SalesUsers.

Three users from the sales department report that their computers restart every five minutes.

You need to identify the cause of the problem.

What should you do?

1. Create a new Group Policy object (GPO). Enable the Audit process tracking policy. Link the

GPO to the SalesPC organizational unit.

2. Create a new Group Policy object (GPO). Enable the Audit process tracking policy. Link the

GPO to the SalesUsers organizational unit.

3. Create a new Group Policy object (GPO). Enable the Audit system events policy. Link the GPO

to the SalesPC organizational unit.

<Correct>

4. Create a new Group Policy object (GPO). Enable the Audit system events policy. Link the GPO

to the SalesUsers organizational unit.

Explanation :

You should create a new GPO, enable the Audit system events policy, and link the GPO to the SalesPC organizational unit. The Audit system events policy allows you to audit events related to computer restart or shut down. This setting is only enabled for Windows Server 2003 or Windows Server 2008 domain controllers that are configured to audit success of these events. You can configure the Audit system events policy in the GPO settings. Once you configure Audit policy, you can link the GPO to the appropriate organizational unit. In this scenario, the client computers in the sales department are located in the SalesPC organizational unit. Therefore, you should link the GPO to the SalesPC organizational unit.

You should not create a new GPO, enable the Audit system events policy, and link the GPO to the SalesUsers organizational unit. In this scenario, the client computers in the sales department are located in the SalesPC organizational unit. Therefore, you should link the GPO to the SalesPC organizational unit. Linking the GPO to the SalesUsers organizational unit will not allow you to identify the cause of the problem stated in this scenario.

You should not create a new GPO, enable the Audit process tracking policy, and link the GPO to the SalesPC organizational unit. An Audit process tracking policy audits events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access. This audit policy will not audit a computer that keeps restarting or shutting down.

You should not create a new GPO, enable the Audit process tracking policy, and link the GPO to the SalesUsers organizational unit. An Audit process tracking policy audits events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access. This audit policy will not audit a computer that keeps restarting or shutting down. Also, in this scenario, the client computers in the sales department are located in the SalesPC organizational unit. Therefore, you should link the GPO to the SalesPC organizational unit.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Configure audit policy by using GPOs.

References :

Audit system events Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/a8297bc2-d53a-4a2f-94c5-8e412ae4e3861033.ms

px?mfr=true

HOW TO: Audit Active Directory Objects in Windows Server 2003 Microsoft Help and Support Link: http://support.microsoft.com/kb/814595

Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a5103

3.mspx?mfr=true

How To Audit Changes to Domain Services Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-010

Your network is configured as a single Active Directory domain. You deploy a read-only domain controller (RODC) in a branch office.

You need to specify a user to manage the RODC locally. The user should have permissions for that RODC only. You are currently logged on at the RODC as a member of the Domain Admins group.

What should you do?

1. Use Active Directory Users and Computers to make the user a member of Domain Admins.

2. Use the OCSetup command.

3. Use the Appcmd command.

4. Use Active Directory Users and Computers and add the user to the Managed By tab.

<Correct>

Explanation :

You should use Active Directory Users and Computers to add the user's name to the Managed By tab of the RODC's account properties. You need to configure Administrator Role Separation for the RODC. This identifies a user as a local administrator for the RODC. The user will have permissions for that RODC only and no other domain controllers or RODCs.

You can also use the Dsmgmt local roles command or the Ntdsutil local roles command. Note that using these commands stores the administrator role locally on the RODC and not in Active Directory.

You should not use Active Directory Users and Computers to make a user a member of Domain Admins. This would give the user more rights than necessary. The user would be able to manage any domain controller.

You should not use the Appcmd command. Appcmd is used to manage Internet Information Services (IIS) from the command line.

You should not use the OCSetup command. OCSetup lets you add roles on a Server Core installation, but it does not let you configure the roles. You would use OCSetup if you were configuring a Server Core installation as an RODC, but you could not use it to configure the RODC instance.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure the read-only domain controller (RODC).

References :

Lesson 2: Read-Only Domain Controller Operation Course 6416A

Administrator Role Separation Configuration Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/c0a45344-f77b-4ea6-8685-37a51f853b57103

3.mspx?mfr=true

RODC Administration Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/f5123310-a004-452f-b9a9-87643ac55dde103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-058

Your network is configured as a multiple-domain Active Directory forest that includes several geographic locations. Each location is configured with at least one domain controller. The network uses a mix of writable and read-only domain controllers (RODCs).

You need to improve performance when searching for resources available in the forest from one of the remote offices. The remote office supports 200 users. The office does not support any remote users. The wide area network (WAN) link is available all of the time, but you need to reduce traffic over the link. The office currently has one RODC.

What should you do?

1. Replace the RODC with a writable domain controller.

2. Deploy a second RODC.

3. Configure the RODC as a global catalog server.

4. Enable universal group caching.

<Correct>

Explanation :

You should configure the RODC as a global catalog server. Microsoft recommends placing a global catalog server in any location that:

* supports applications that require the global catalog.

* supports 100 or more users.

* supports several remote users.

The global catalog is used any time users search for forest resources. Placing a copy of the global catalog on the local domain controller makes it able to respond more quickly to user requests. Also, because the requests are handled locally, traffic over the wide area link is reduced overall. There would be some additional background traffic required to support global catalog replication, but this would occur only when there are changes to the global catalog. This would be less than the traffic necessary to support queries to the global catalog.

Replacing the existing domain controller or adding a second domain controller will not correct this situation unless one of them is a global catalog server. However, you might consider adding

a second domain controller if you are concerned about fault tolerance.

There is no need to enable universal group caching. Microsoft recommends deploying a domain controller and enabling universal group caching if:

* None of the requirements for a local global catalog are met.

* The WAN link is always available.

Since the location has over 100 users, the better solution is to configure the RODC as a global catalog server.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure the global catalog.

References :

Planning Global Catalog Server Placement Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/d59c8afc-9781-442e-8421-ee549a696665103

3.mspx?mfr=true

Global catalogs and sites Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/0e74916d-28d7-4cdd-8dce-89c824622fcd1033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-025

Your network includes four domain controllers. DC1 is configured for the PDC emulator role. You need to take DC1 down for maintenance.

You need to assign the role to DC2 during maintenance.

What should you do?

In the list on the right, select the steps you should take. Place your selections in the list on the left in the order in which you should take them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :

You should perform the following steps:

* Open Active Directory Users and Computers.

* Connect to DC2.

* Transfer the PDC emulator role.

You transfer the PDC emulator role using Active Directory Users and Computers or ntdsutil. You must connect to the target computer (the one to which the role is being transferred) before transferring the role. Because the server is operational, you should transfer the role instead of seizing it.

You should not open Active Directory Sites and Services. You do not manage any operation master roles from Active Directory Sites and Services.

You should not open Active Directory Domains and Trusts. You manage the domain naming operations master role from Active Directory Domains and Trusts, not the PDC emulator role.

You should not connect to DC1. You must be connected to the target domain controller to transfer the role.

You should not seize the role. You should only seize a role if the server that holds the role is inaccessible.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure operations masters.

Transfer the PDC emulator role Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver/en/library/c3a082ac-d855-48ba-a3d9-3b3a945cd7261033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-088

Your company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2008 and are members of the domain. You are in the process of installing Active Directory Certificate Services (AD CS) on a server named CertSrv. You want to install the Certification Authority (CA) role service and Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service.

You attempt to install the CA role service and the MSCEP role service simultaneously on CertSrv, but receive an error message that states: Cannot Install MSCEP.

What should you do to ensure that you are able to install both role services on CertSrv?

1. Install the CA role service first and then install the MSCEP role service.

<Correct>

2. Install Active Directory Lightweight Directory Services (AD LDS) on CertSrv.

3. Install an Online Responder service before installing the MSCEP role service.

4. Install Active Directory Domain Services (AD DS) on CertSrv.

Explanation :

You should install the CA role service first and then install the MSCEP role service. AD CS provides services for creating and managing public key certificates. You can install four types of role services on a server configured as AD CS. These role services are CA, Certification Authority Web Enrollment, Online Certificate Status Protocol (OCSP), and MSCEP. MSCEP allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA. Windows Server 2008 does not allow you to install the CA role service and the MSCEP role service simultaneously. To ensure that you are able to install both the AD CS role services, you should first complete the CA setup and then install the MSCEP role service.

You should not install AD DS or AD LDS on CertSrv. The problem in this scenario is that Windows Server 2008 does not allow you to install the CA role service and the MSCEP role service simultaneously. Access to AD DS is required when you want to install an enterprise root CA in your domain, but it does not need to be installed on the same server as AD CS.

You should not install an Online Responder service before installing the MSCEP role service. Online responders are used as an alternative to or an extension of Certificate Revocation Lists (CRLs) to provide certification revocation data. You can use an Online Responder based on OSCP to manage and distribute revocation status information when the use of conventional CRLs is not an optimal solution.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Install Active Directory Certificate Services.

References :

Windows Server Active Directory Certificate Services Step-by-Step Guide Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6f-a801-ae6a87fd174c103

3.mspx

How To Install Server Roles and Server Features Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-097

Your company has a main office and a branch office. The servers on the company's network run Windows Server 2008. Each office has its own Active Directory domain.

There are three file servers in the main office named File1, File2, and File3. The users in the main office who access File1 and File2 are reporting that file downloads have been slow for the past two days from 3 P.M. to 5 P.M.

You want to see the processor and memory usage on File1 and File2. You want to schedule performance logs and alerts on both File1 and File2 to start at 3 P.M.

Which tool should you use?

1. Event Viewer

2. Windows Task Manager

3. Reliability and Performance Monitor <Correct>

4. Component Services

Explanation :

You should use Reliability and Performance Monitor to set the performance logs and alerts on both File1 and File2 to start at 3 P.M. When you open Reliability and Performance Monitor, you will see the option Performance Logs and Alerts. You can open the Performance Logs and Alerts and set the new log for memory and processor to be scheduled at 3 P.M. The Windows Reliability and Performance Monitor combines several previous stand-alone tools, such as Performance Logs and Alerts, Server Performance Advisor, and System Monitor.

You should not use Windows Task Manager to schedule performance logs and alerts. Windows Task manager does not allow you to create a new performance log or alert. Windows Task Manager shows only the current applications, processes, performance, network usage, and users that are correctly connected to the server.

You should not use Event Viewer to schedule performance logs and alerts. Event viewer does not allow you to create a new performance log or alert. Event Viewer shows only the current event logs that are created.

You should not use Component Services to schedule performance logs and alerts. Component Services does not allow you to create a new performance log or alert. Component Services only allows you to access Active Directory Users and Computers, Event Viewer and Services.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Monitor Active Directory.

References :

Windows Reliability and Performance Monitor Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ec5b5e7b-5d5c-4d04-98ad-55d9a0967710103

3.mspx?mfr=true

Performance Logs and Alerts overview Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/b3d458a8-7d62-4f2a-80bb-c16e75994b1d1033.ms

px?mfr=true

What Is Windows Reliability and Performance Monitor? Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-078

Your company's network consists of a single Active Directory domain. You install a Certification

Authority (CA) on a stand-alone computer that runs Windows Server 2008. The network also contains

a file server named FileSrv1 that is installed on a member server running Windows Server 2008. FileSrv1 contain files that are accessed by all users on the network.

You prepare the offline root CA to issue certificates to all users in the domain. You issue a certificate to each user to log on to the domain.

You need to ensure that once a certificate is revoked for a user, the user is unable to log on to the domain by using the revoked certificate.

What should you do?

1. Run the Certutil -dsPublish -f command.

2. Change the Uniform Resource Locator (URL) location of the Certificate Revocation List (CRL)

distribution point to FileSrv1.

<Correct>

3. Change the default action of the stand-alone root CA for request handling.

4. Run the Certutil -pulse command.

Explanation :

You should change the URL location of the CRL distribution point to FileSrv1. Every certificate that is issued by a Microsoft CA contains the URL of CRL distribution points as part of its

content. A CRL distribution point provides a certificate verifier with the network location where

it can retrieve the current copy of the CRL or delta CRL. By default, CRL and delta CRL files are published on the CA in the %Systemroot%\System32\CertSrv\CertEnroll folder. You can specify

multiple CRL distribution points for a CA. When preparing an offline root CA to issue certificates, you must change the URL location of the CRL distribution point to a location that

is accessible to all users on the network. Performing this step is necessary because the offline

CA's default CRL distribution points are not accessible to users on the network, which causes certificate revocation checking to fail. In this scenario, FileSrv1 is accessible to all users. Therefore, you should change the URL location of the CRL distribution point to FileSrv1.

You should not run the Certutil -pulse command. This command is used to start autoenrollment for the new certificates.

You should not run the Certutil -dsPublish -f command. This command is used to publish a certificate or CRL to Active Directory. The -f parameter in the Certutil -dsPublish command overwrites existing files or keys. A stand-alone root CA does not have access to Active Directory. Therefore, running the Certutil -dsPublish -f command will not be useful.

You should not change the default action of the stand-alone root CA for request handling. The default request handling action for a stand-alone root CA is to place all requests in the Pending Requests list. When you change the default request handling action for a stand-alone CA, the CA will be configured to automatically issue certificates without verifying the identity of the certificate requester. However, changing the default action of the stand-alone root CA for request handling will not make the CRL distribution point on an offline root CA available to users on the network.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Install Active Directory Certificate Services.

References :

Checklist: Creating a certification hierarchy with an offline root certification authority Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/45c28bf8-9952-4ca1-b124-7d86afb83f691033.ms

px?mfr=true

Revoking certificates and publishing CRLs Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.ms

px?mfr=true

Specify certificate revocation list distribution points in issued certificates Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/6c95826e-8c8d-4138-bae6-a92e8612499f1033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-018

Your network has a corporate office and a branch office. It is configured as a single Active Directory domain and two sites - one for each office. There are three domain controllers at the corporate office and a read-only domain controller (RODC) at the branch office.

Users at the branch office report that performance is slow when accessing resources at the corporate office during the business day.

You need to improve performance for the users at the branch office. Your solution must ensure that all changes to Active Directory are replicated to the branch office and must not grant any additional rights to administrators at the branch office.

What should you do?

1. Configure the site link to use Simple Mail Transfer Protocol (SMTP) instead of Remote

Procedure Call over Internet Protocol (RPC over IP).

2. Add a child domain for the computers at the branch office.

3. Configure the site link so that Active Directory replication occurs only after hours.

<Correct>

4. Configure the domain controller at the branch office as a standard domain controller.

Explanation :

You should configure the site link so that Active Directory replication occurs only after hours. Active Directory replication uses bandwidth. Therefore, you can improve performance by limiting replication to times outside high traffic periods.

You should not configure the site link to use SMTP instead of RPC over IP. SMTP can be used for replicating global catalog data, but it cannot be used to replicate the domain partition. While using SMTP would reduce the replication traffic, it would not replicate all the necessary data because it cannot be used to replicate the entire domain partition. Therefore, the RODC would not be kept up to date with all Active Directory data.

You should not add a child domain for computers at the branch office. Separating the branch office into a separate domain might reduce the amount of traffic due to replication, but it will not meet the requirements. You would either need to add a domain controller for that domain to the network at the corporate office or make the domain controller at the branch office a standard domain controller. If you add a domain controller for the child domain to the corporate office, there would still need to be replication across the WAN link. If you make the domain controller at the branch office a standard domain controller, administrators at the branch office would be able to create and modify objects in Active Directory.

You should not make the domain controller at the branch office a standard domain controller. Doing so would not decrease traffic because replication would still occur during business hours and the solution would allow administrators at the branch office the ability to modify Active Directory objects.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure Active Directory replication.

Configure Intersite Replication Availability Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/16a9a735-8a73-45a3-a629-a98da46452b6103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-011

Your company's network is configured as a single domain. All domain controllers are running Windows Server 2003. Some member servers run Windows Server 2003. Others run Windows 2000 Server.

You are preparing to add a domain controller running Windows Server 2008 to the domain. You need to prepare Active Directory for the new server.

What should you do?

In the list on the right, select the commands you should run before installing Windows Server 2008. Place your selections in the list on the left in the order in which you should run them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :

You must first extend the schema by running the adprep /forestprep command on the schema master. Next you should execute adprep /domainprep on the infrastructure master to prepare the domain for its first Windows Server 2008 domain controller.

You should not execute adprep /domainprep /gpprep. You only need to execute adprep /domainprep /gpprep if there are domain controllers running Windows 2000 Server in the domain.

You should not execute dcpromo /uninstall. You should not remove the domain controller role before upgrading a domain controller to Windows Server 2008.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure a forest or a domain.

References :

Lesson 1: Installing Active Directory Domain Services Course 6425A

Adprep Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/aa923ebf-de47-494b-a60a-9fce083d2f69103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-013

Your company has a main office and several branch offices. Servers are running Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. Computers in all locations are members of a single domain. Each branch office is configured as a separate site with its own domain controllers.

One of the branch offices is connected to the main office by a 56-Kbps WAN connection. Users are reporting that response time is slow when accessing resources in the main office. You discover that the problem is due to inter-site Active Directory replication.

You need to minimize replication traffic over the WAN link.

What should you do? (Each correct answer presents a complete solution. Choose two.)

1. Move domain controllers into the same Active Directory site as the domain controllers in the

main office.

2. Configure domain controllers in the branch office as read-only domain controllers

(RODCs).

<Correct>

3. Increase the replication interval for the site link.

<Correct>

4. Enable universal group membership caching in the branch office.

Explanation :

You should increase the replication interval for the site link connecting the branch office site to the main office site. Active Directory replication between the domain controller in the branch office site and the domain controller in the main office is consuming too much bandwidth on the WAN connection. You can reduce replication traffic across the link by configuring replication to occur less frequently. You can accomplish this by increasing the replication interval.

Another solution is to configure DC10 as an RODC. An RODC hosts a read-only copy of the Active Directory database and is typically deployed in branch office environments. Since no changes can be written to the RODC, replication traffic is unidirectional only. As a result, there will be less replication traffic on the WAN connection.

You should not enable universal group membership caching. This solution will not decrease the amount of replication traffic on the WAN connection. If universal groups are being used, a global catalog server must be available to enumerate universal group membership before you can be authenticated to the domain. Universal group caching ensures that users can log on even if a global catalog server is not available. This is useful in branch offices that are connected to head offices by slow WAN links.

You should not move the domain controllers into the same Active Directory site as the main office domain controllers. This solution will increase network traffic. If branch office domain controllers are in the same Active Directory site as the domain controllers physically located in the main office, replication traffic will increase. Replication within a site occurs more often than replication between sites.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure sites.

References :

AD DS: Read-Only Domain Controllers Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd103

3.mspx?mfr=true

Determining the Schedule Windows Server 2008 Technical Library

Link:

http://technet2.microsoft.com/windowsserver2008/en/library/afeaea89-8ca0-43ed-bd44-4c822d653508103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-085

Your organization has a main office and a branch office. You have deployed Windows Server 2008 on all servers in your organization. You install Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), and Active Directory Domain Services (AD DS) on a server in the main office. You configure the server as a domain controller for the root domain in

a new forest.

Your need to deploy a read-only domain controller (RODC) in the branch office.

What should you do?

In the list on the right, select the tasks that you should perform to deploy the RODC. Place your selections in the list on the left in the order in which you should perform them, with the first task at the top of the list. Place your selections in the list on the left by clicking the items

in the list on the right and clicking the arrow button. You can also use the up and down buttons

to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :

You should run dcpromo.exe to launch the Active Directory Domain Services Installation Wizard.

This wizard allows you to configure a domain controller as an RODC. An RODC allows you to deploy

a domain controller where physical security is not possible or where local storage of all domain passwords is not secure.

You should then select the Add a domain controller to an existing domain option under the Existing Forest section on the Choose a Deployment Configuration page.

You should not run azman.msc. The azman.msc command opens the Authorization Manager, which allows you to create, deploy, and maintain a new authorization store.

You should not select the Create a new domain in an existing forest option on the Choose a Deployment Configuration page. This option will configure the server as the first domain controller in the new domain, and you cannot configure the first domain controller as an RODC. The first domain controller can be configured as a global catalog server, but not as an RODC.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure the read-only domain controller (RODC).

References :

Steps for Deploying an RODC Microsoft TechNet

Link:

http://technet2.microsoft.com/windowsserver2008/en/library/8294cfa1-c828-4bba-82b2-e825e2f5a240103

3.mspx?mfr=true

Guidelines for Deploying RODCs Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-055

Your company's network is configured as a single Active Directory domain with three sites:

Chicago, New York, and Atlanta. Your company is planning to implement smart card authentication. Certificate enrollment must meet the following requirements:

* User interaction should be minimized.

* Certificates must use the Cryptographic Service Provider (CSP) installed by the manufacturer's software.

* Smart card certificates must be valid for 2 years.

* Smart card certificates must be able to protect e-mail.

You need to create the certificate template that will be used to issue smart card certificates.

What should you do?

1. Duplicate the existing Smart Card User certificate template.

Change the CSP and the validity period. Select Enroll subject without requiring any user input.

2. Duplicate the existing Smart Card Logon certificate template.

Change the CSP and the validity period.

3. Duplicate the existing Smart Card Logon certificate template.

Change the CSP and the validity period. Select Enroll subject without requiring any user input.

4. Duplicate the existing Smart Card User certificate template.

Change the CSP and the validity period.

<Correct>

Explanation :

You should perform the following steps:

* Duplicate the existing Smart Card User certificate template.

* Change the CSP and the validity period.

The predefined Smart Card User certificate template allows users to log on and protect e-mail. When choosing a template to duplicate as a base for a custom template, you should choose the one closest in purpose to the certificate you need. You only need to change the CSP and the validity of the Smart Card User certificate for it to meet the requirements.

You should not duplicate the Smart Card Logon certificate template. The Smart Card Logon certificate cannot be used to protect e-mail.

You should not select Enroll subject without requiring any user input. The smart card administrator must be prompted to insert the smart card. Therefore, you cannot clear this option when creating the certificate template.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Manage certificate templates.

Active Directory Certificate Services Longhorn Beta3 Certificate Templates Whitepaper Microsoft Downloads Link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&disp

laylang=en

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-014

Your company has a main office and several branch offices. Servers are running Microsoft Windows Server 2008. Client computers are running Microsoft Windows XP Professional. Computers in all locations are members of a single domain. Each branch office is configured as a separate site with its own domain controllers.

Two additional branch offices have been opened, and you need to configure the site topology. You configure the two branch offices as separate sites. You discover that both locations are connected to the main office using T1 WAN connections that are already heavily used during business hours.

You need to configure the sites links for both locations to connect to the main office site. You do not want to consume additional bandwidth during busy times.

What should you do?

1. Create site links that use Remote Procedure Call (RPC) over IP. Configure the replication

schedule so that replication can only occur only during non-business hours.

<Correct>

2. Create site links that use Simple Mail Transfer Protocol (SMTP). Configure the replication

schedule so that replication can only occur only during non-business hours.

3. Create site links that use Remote Procedure Call (RPC) over IP.

4. Create site links using Simple Mail Transfer Protocol (SMTP).

Explanation :

You should create site links that use RPC over IP and configure the replication schedule so that replication can only occur only during non-business hours. By doing so, you will not consume additional bandwidth on the already heavily used WAN connections during business hours.

You should not create SMTP site links. SMTP provides limited replication functionality. SMTP does not support site link schedules, which means that you cannot schedule replication to occur during non-business hours. SMTP will not be supported in future versions of Active Directory Domain Services, and therefore it is not recommended as a replication transport method.

You should not just create site links that use Remote Procedure Call (RPC) over IP. You should not allow replication to occur during business hours. The WAN connection is already heavily used during business hours. Therefore, to optimize the existing bandwidth, replication should be scheduled to occur during non-business hours.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure sites.

Creating a Site Link Design Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/d35bcae0-fe46-4f6f-8cf2-df09e5896546103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-001

Your company's network contains servers running Microsoft Windows Server 2008 and client computers running Windows XP Professional and Vista Enterprise. All computers are members of a single Active Directory domain named MedDev.com.

MedDev has just acquired another company named GoShop, Inc. GoShop, Inc. has an existing Active Directory domain and Domain Name System (DNS) infrastructure that needs to remain in place. MedDev and GoShop, Inc. will each maintain its own DNS servers.

You want to optimize name resolution when users in MedDev access resources in GoShop,Inc. You want to accomplish this with the least amount of administrative effort.

What should you do?

1. Configure conditional forwarding on the DNS server at GoShop, Inc.

2. Send name resolution requests for hosts in GoShop, Inc. to a designated DNS server.

3. Forward all name resolution requests to a DNS server in GoShop, Inc.

4. Configure conditional forwarding on the DNS server at MedDev.

<Correct>

5. Add a host name record to the root hints file that points to the DNS server in GoShop, Inc.

6. Create a stub zone on the DNS server in MedDev.

Explanation :

You should configure conditional forwarding on the DNS server at MedDev. When the DNS server in MedDev receives a name resolution request for a host in GoShop, Inc. the request will be sent directly to the DNS server in GoShop, Inc. The DNS server in MedDev will not need to query root name servers to resolve the name resolution requests, thereby optimizing name resolution performance.

You should not add a host name record to the root hints file. Root hints are used by DNS servers to locate other authoritative DNS servers. Adding an entry to the root hints will allow the DNS server in MedDev to locate the server authoritative for GoShop, inc. However, by implementing conditional forwarding, the root hints file does not need to be parsed and authoritative DNS servers do not need to be queried.

You should not configure conditional forwarding on the DNS server at GoShop, Inc. You configure conditional forwarding on the DNS server in the domain where the requests will originate. You want name resolution requests originating in MedDev for hosts in GoShop, Inc. forwarded to the DNS server in GoShop, Inc. Therefore, you should configure conditional forwarding on the DNS server in MedDev.

You should not create a stub zone on the DNS server in MedDev. Stub zones ensure that DNS servers authoritative for a parent zone automatically receive updates about the DNS servers for child zones. Since the name resolution requests are for DNS clients in another network, you should use conditional forwarding.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure DNS server settings.

References :

Configure a DNS Server to use forwarders Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.ms

px?mfr=true

DNS Server Role

Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-055

Your network is configured as a single Active Directory domain. You have not deployed a public key infrastructure (PKI) in the domain. The client computers on your network run either Microsoft Windows XP Professional or Windows Vista.

You need to provide secure communication with a server running Windows Server 2008. The solution must meet the following requirements:

* The connection must use end-to-end encryption.

* Only those clients that you identify should be able to communicate with the server.

* Changes to the network and to client computers needed to deploy the solution must be minimal.

What should you do? (Each correct answer presents part of the solution. Choose three.)

1. Deploy a stand-alone Certificate Authority (CA).

<Correct>

2. Configure an isolated subnet bounded by a firewall.

3. Issue only a server computer certificate.

4. Use Secure Socket Tunneling Protocol (SSTP).

5. Use IP Security (IPSec) authenticated by domain user account.

6. Use IP Security (IPSec) authenticated by client computer.

<Correct>

7. Issue client and server computer certificates.

<Correct>

8. Physically move the server running Windows Server 2008 to the isolated subnet.

9. Deploy an enterprise root Certificate Authority (CA).

Explanation :

You need to deploy a stand-alone CA, issue client and server certificates, and use IPSec authenticated by client computer. IPSec authenticated by computer provides the security access and end-to-end encryption required by the solution. Mutual authentication is used when establishing the connection, so certificates are necessary on both the server and clients.

You should not deploy an enterprise root CA. This will require additional effort and changes to the network to secure the root CA and configure CAs to issue certificates.

You should not use IP Security (IPSec) authenticated by domain user account. This is supported for Windows Vista and Windows Server 2008 only, so the Windows XP clients would not be supported by this solution.

You should not use SSTP. This is a protocol used for configuring virtual private networks (VPNs). A solution using SSTP would require making more changes to the network infrastructure than necessary.

You should not configure an isolated subnet or move the server to an isolated subnet. Neither action is required by the solution.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Configure CA server settings.

References :

Security rules for Windows Firewall and for IPsec-based connections in Windows Vista and in Windows Server 2008 Microsoft Help and Support Link: http://support.microsoft.com/kb/942957

IPsec: Frequently Asked Questions Microsoft TechNet Link: http://www.microsoft.com/technet/network/ipsec/ipsecfaq.mspx

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-068

Your company has a main office and a branch office. The company's network consists of a single Active Directory domain at the Windows Server 2003 functional level. You install Windows Server 2008 on servers in the main office and Windows Server 2003 on servers in the branch office. The client computers in the main office run Windows Vista, and client computers in the branch office run Windows XP Professional.

You deploy Active Directory Rights Management Services (AD RMS) in the main office. However, you notice that no client computer in the branch office is able to protect its documents using the AD RMS service.

You need to fix the problem.

What should you do?

1. Raise the domain functional level to Windows Server 2008.

2. Upgrade all client computers in the branch office to Windows XP Professional Service Pack 2

(SP2).

3. Download and install the AD RMS client on all client computers in the branch office. <Correct>

4. Flush the RMS Message Queuing queue.

Explanation :

You should download and install the AD RMS client on all client computers in the branch office. Windows Vista includes the AD RMS client by default. However, earlier versions of Windows do not have the RMS client installed. To use the AD RMS service on a Windows XP computer, you can download and install the RMS client from the Microsoft Download Center.

You should not upgrade all computers to Windows XP Professional Service Pack 2 (SP2). Versions of Windows released prior to Windows Vista and Windows Server 2008 do not have the RMS client installed. Therefore, upgrading the client computers in the branch office to Windows XP Professional SP2 will not be useful.

You should not raise the functional level to Windows Server 2008. All servers in this scenario are already using Windows Server 2003 as the functional level, which is enough to deploy AD RMS on your company's network. Therefore, raising the functional level to Windows Server 2008 will not fix the problem in this scenario.

You should not flush the RMS Message Queuing queue. You should flush the RMS Message Queuing queue to ensure that all messages are written to the RMS logging database when you are upgrading from RMS to AD RMS.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Rights Management Service (AD RMS).

References :

Active Directory Rights Management Services Overview Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-15b156a0b4e0103

3.mspx?mfr=true

Pre-installation Information for Active Directory Rights Management Services Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-7ea309ddb0ed103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-185

Your company has a main office that consists of a single Active Directory domain. All servers on the network run Windows Server 2008. A server named SRV1DC is configured as a domain controller.

The company opens a new branch office at a different location. You configure a Read-Only Domain Controller (RODC) named SRV2RODC in the branch office. You must ensure that sensitive information is not replicated between SRV1DC and SRV2RODC.

What should you do?

1. Disable the Krbtgt account on SRV2RODC.

2. Configure the Password Replication Policy on SRV2RODC.

3. Disable the Replicator user group on SRV2RODC.

4. Configure the RODC filtered attribute set.

<Correct>

Explanation :

You should configure the RODC filtered attribute set. An RODC hosts read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, except for account passwords. By default, an RODC does not store user or computer credentials except for its own computer account and the Krbtgt account. The Krbtgt account is a unique account that is used for Kerberos authentication. When you want to prevent replication of sensitive information, you should configure the RODC filtered attribute set. The RODC filtered attribute set is a set of attributes that you can configure in the schema to ensure that these attributes are not replicated to an RODC.

You should not disable the Krbtgt account on SRV2RODC. The Krbtgt account is used by an RODC for Kerberos authentication. Disabling the Krbtgt account will not prevent sensitive information from being replicated between a writable domain controller and an RODC.

You should not configure the Password Replication Policy on SRV2RODC. The Password Replication Policy determines if an RODC should be allowed to cache a password. The Password Replication Policy lists the accounts for which passwords are permitted to be cached and accounts that are explicitly denied from having their passwords cached. The Password Replication Policy is configured and enforced on a writable domain controller.

You should not disable the Replicator user group on SRV2RODC. The Replicator user group supports file replication in a domain. Disabling the Replicator user group will not ensure that sensitive information is not replicated between a writable domain controller and an RODC.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure the read-only domain controller (RODC).

References :

AD DS: Read-Only Domain Controllers Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd103

3.mspx?mfr=true

Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute Set Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/f62c9720-a5c3-40c9-aa40-440026f585e9103

3.mspx?mfr=true

Step-by-Step Guide for Read-only Domain Controllers Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db7103

3.mspx?mfr=true

How To Manage RODCs Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-059

Your company's network is configured as an Active Directory domain. CA1 is an Enterprise subordinate Certification Authority (CA) running Windows Server 2008. You issue a large number of smart card certificates.

You need to create a backup copy of only the CA and the certificates database.

What should you do? (Each correct answer presents a complete solution. Choose two.)

1. Log on as a member of the Backup Operators group. Use certutil with the -backup

option. <Correct>

2. Log on as a member of the Administrators group. Use xcopy to back up the directory where

certificates are stored.

3. Log on as a member of the Administrators group. Use certutil with the -store option.

4. Log on as a member of the Administrators group. Use Certificates to export the private keys.

5. Log on as a member of the Backup Operators group. Use Certification Authority to back up the

CA database.

<Correct>

Explanation :

You should perform the following steps:

* Log on as a member of the Backup Operators group.

* Use Certification Authority to back up the CA database.

You can use the Backup CA command in Certification Authority to back up only the CA and the certificates database. You must be a member of the Backup Operators group to perform this task.

Another way to perform the task is to use certutil with the -backup option to back up the CA and the certificates database. You must be a member of the Backup Operators group to perform this task. You should usually use the Backup utility to back up the CA database along with the server's configuration. However, in some situations, such as when you issue a large number of certificates, you might want to back up only the CA database. In this situations, use either Certification Authority or certutil.

You should not perform the following tasks:

* Log on as a member of the Administrators group.

* Use xcopy to back up the directory where certificates are stored.

To back up the CA, you must use Certification Authority, certutil, or Backup. You cannot just use xcopy to copy the directory where certificates are stored.

You should not perform the following steps:

* Log on as a member of the Administrators group.

* Use Certificates to export the private keys.

A backup of the CA must include more than just private keys. It must include the certificate database, the CA's signing certificate, and the CA's private key. Therefore, you cannot back up the database by exporting private keys.

You should not use the certutil command with the -store option. The -store option is used to view the certificates stored in a specific store.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Configure CA server settings.

References :

Backing up and restoring a certification authority Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/69e3aa8e-800c-435e-920a-f5eb2ac2a9ed1033.ms

px?mfr=true

Back Up a Certification Authority Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/25fbd545-9aa8-4e2a-a9bc-eac92cf8bd40103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-003

You recently installed Microsoft Windows Server 2008 on all network servers. Client computers are running Microsoft Windows XP Professional and Windows Vista Enterprise. The network consists of a single forest. There are four child domains - one for each branch office. Each domain has two domain controllers.

One of the domain controllers in a branch office has lost connectivity to the network. You want to remove the domain controller from the domain and replace it with a new server.

What should you do?

1. Launch dcpromo and remove the domain controller from the existing domain.

2. Run the dcpromo /demotion command at the command prompt and then perform a metadata cleanup.

3. Launch dcpromo and select the option to delete the domain.

4. Run the dcpromo /forceremoval at the command prompt and then perform a metadata

cleanup.

<Correct>

Explanation :

Since the domain controller that you want to remove from the domain has lost connectivity to the network, you must force the removal of the domain controller from the domain. A domain controller is forcibly removed from a domain using the dcpromo / forceremoval command at the command prompt. After you remove the domain controller, you must manually perform a metadata cleanup.

You should not run the dcpromo /demotion command at the command prompt. The demotion option is used to remove a domain controller from a domain when the domain controller still has network connectivity to the domain.

You should not launch dcpromo and select the option to delete the domain. The scenario indicates that only the domain controller needs to be removed, not the entire domain. This solution will completely remove the domain from the forest.

You should not launch dcpromo and remove the domain controller from the existing domain. This removal method can only be used when removing a domain controller that still has connectivity to the domain.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure a forest or a domain.

References :

Forcing the Removal of a Windows Server 2008 Domain Controller Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ae4dd0e3-2019-4278-8efd-61c36ba9e1c0103

3.mspx?mfr=true

Steps for Removing AD DS Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/9260bb40-a808-422f-b33b-c3d2330f5eb8103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-029

A computer running Microsoft Windows Server 2008 is configured as a domain controller. The computer also supports other services, including the Dynamic Host Configuration Protocol (DHCP) service.

You need to move the Active Directory database on the computer. You must minimize the impact on the other services running on the computer.

What should you do first? (Each correct answer presents a complete solution. Choose two.)

1. Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role.

2. Run Ntdsutil to compact the database.

3. Use Computer Manager to stop the Active Directory service. <Correct>

4. Restart the domain controller in Directory Services Restore Mode (DSRM).

5. Run Net stop to stop the Active Directory service.

<Correct>

Explanation :

You should either use Computer Manager or the Net stop command to stop the Active Directory service. Windows Server 2008 supports restartable AD DS, which lets you perform some types of maintenance, including offline database compaction and movement, without affecting other services running on the computer.

You should not restart the domain controller in DSRM. This would allow you to compact the database, but it would also prevent users from accessing the other services supported on the computer.

You should not run Ntdsutil first. You need to first stop AD DS. Then you can use Ntds to compact and then move the database.

You should not run Dcpromo to force removal of the AD DS role. There is no reason to remove the role. You can move the database without doing this.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Perform offline maintenance.

References :

Windows Server 2008 Restartable AD DS Step-by-Step Guide Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a68710103

3.mspx?mfr=true

Compact the directory database file (offline defragmentation) Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.ms

px?mfr=true

Module 4: Active Directory Domain Services Course 6416A

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-084

All servers on your company's network run Windows Server 2008. You have configured a scheduled backup on each server. The company requires you to modify the scheduled backup settings on a file server named FileSrv.

Before modifying the settings on FileSrv, you want to view a list of currently scheduled backup settings.

What should you do?

1. Run the Wbadmin start backup command without any parameter.

2. Run the Wbadmin start backup command with the -include parameter.

3. Run the Wbadmin enable backup command with the -schedule parameter.

4. Run the Wbadmin enable backup command without any parameter. <Correct>

Explanation :

You should run the Wbadmin enable backup command without any parameter. The Wbadmin enable backup command can be used to create a daily backup schedule or modify an existing backup schedule. This command can also be used to create customized backups. When the Wbadmin enable backup command is run without any parameters, it displays the currently scheduled backup settings.

You should not run the Wbadmin enable backup command with the -schedule parameter. The -schedule parameter is used to specify comma-delimited times of day in HH:MM format for backup.

You should not run the Wbadmin start backup command with the -include parameter or without any parameter. The Wbadmin start backup command is used to run a backup by using specified parameters. The -include parameter specifies a list of volume drive letters, volume mount points, or GUID-based volume names to include in the backup. The Wbadmin start backup command cannot be used to display a list of currently scheduled backup settings. When you run the Wbadmin start backup command without any parameters, the command runs the backup by using the settings for the scheduled backup.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Configure backup and recovery.

References :

Wbadmin enable backup Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/c0e57f8a-70fa-4c60-9754-e762e8ad8772103

3.mspx?mfr=true

Wbadmin Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/4b0b3f32-d21f-4861-84bb-b2eadbf1e7b8103

3.mspx?mfr=true

How To Back Up AD DCs Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-067

Your company has a main office and a branch office. Each office has its own Active Directory domain in a single forest. Each office has three departments: sales, payroll, and marketing. All servers on the company's network run Windows Server 2008.

You want to deploy Active Directory Rights Management Services (AD RMS) to safeguard all sensitive information on your company's network.

You need to secure all documents and provide user authentication in both the main office domain and the branch office domain only for the sales and payroll departments.

What should you do? (Each correct answer presents part of the solution. Choose two.)

1. Configure the users in the sales and payroll departments in both offices to use the AD RMS

server in the main office.

2. Set up a separate AD RMS server in each office.

<Correct>

3. Set up a single AD RMS server in the main office.

4. Configure the users in the sales and payroll departments in both offices to use the AD RMS

server in their respective offices.

<Correct>

5. Install the AD RMS role on the domain controller in the main office.

Explanation :

You should set up a separate AD RMS server in each office, and configure the users in the sales and payroll departments in both offices to use the AD RMS server in their respective offices to achieve the objective in this scenario. You must install AD RMS server as a member server in the same Active Directory Domain Services (AD DS) domain that contains the user accounts that will be accessing the content protected by AD RMS. AD RMS can be used to protect all sensitive information on your company's network.

You should not set up a single AD RMS server in the main office and configure the users in the sales and payroll departments in both the offices to use the AD RMS server in the main office. When you deploy AD RMS in your company's network, you must create a separate AD RMS service for each domain's users. You cannot create a single AD RMS server for two or more separate domains.

You should not install the AD RMS role on the domain controller in the main office. You cannot create a single AD RMS server for two or more separate domains.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Rights Management Service (AD RMS).

References :

Pre-installation Information for Active Directory Rights Management Services Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-7ea309ddb0ed103

3.mspx?mfr=true

How To Install Server Roles and Server Features Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-039

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. All member servers are located in a MemberServers organizational unit (OU).

A member server contains a folder named Confidential. The Confidential folder contains documents

that no temporary employee should be allowed to access regardless of their membership in other groups.

You need to prevent temporary employees from accessing files in the Confidential folder.

What should you do?

1. Create a local group named Temps on the file server.

Create a security policy that denies the Read access on the Confidential folder to the Temps group. Apply the security policy to the file server.

2. Create a domain local group named Permanent and add all permanent employees to it.

Create a Group Policy object (GPO) named DenyTemps and link it to the domain.

In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential

folder to the Domain Users group and grant Read access to the Permanent group.

3. Create a domain local group named Temps and add all temporary employees to it.

Create a Group Policy object (GPO) named DenyTemps and link it to the domain.

In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential

folder to the Temps group. <Correct>

4. Create a local group named Permanent on the file server and add all permanent employees to it.

Create a Group Policy object (GPO) named DenyTemps and link it to the domain.

In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential

folder to the Domain Users group and grant Read access to the Permanent group.

Explanation :

You should perform the following steps:

* Create a domain local group named Temps and add all temporary employees to it.

* Create a GPO named DenyTemps and link it to the domain.

* In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Temps group.

The File System policy in a GPO allows you to globally manage permissions for a file system

folder. You can allow access or deny access to a domain group, but it is recommended that you use

a domain local group for better manageability. When you deny access, it takes precedence over all other permissions granted to that user or to a group to which that user belongs.

You should not perform the following steps:

* Create a local group named Temps on the file server.

* Create a security policy that denies the Read access on the Confidential folder to the Temps group.

* Apply the security policy to the file server.

The File System policy is not available in a security policy that you apply locally. It is only available in a GPO.

You should not perform the following steps:

* Create a domain local group named Permanent and add all permanent employees to it.

* Create a GPO named DenyTemps and link it to the domain.

* In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Domain Users group and grant Read access to the Permanent group.

The deny permission takes precedence over all other permissions. Because all users belong to the Domain Users group, taking these steps will deny permissions to all users, including those who should otherwise be granted access to the files.

You should not perform the following steps:

* Create a local group named Permanent on the file server and add all permanent employees to it.

* Create a GPO named DenyTemps and link it to the domain.

* In the DenyTemps GPO, configure the File System policy to deny Read access on the Confidential folder to the Domain Users group and grant Read access to the Permanent group.

You cannot assign local groups permissions using the File System policy. You can only assign domain groups permission using the File System policy.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Maintain Active Directory accounts.

Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1 Microsoft Downloads Link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2043b94e-66cd-4b91-9e0f-68363245c495&Disp

layLang=en

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-009

You are configuring a network as a single Active Directory domain. Your network includes several branch offices connected by low-bandwidth, on-demand links.

You need to ensure that users in the branch offices are able to log onto the domain. You want to keep the effort required to configure and manage the network to a minimum. You also want to keep network traffic to these remote offices to a minimum during normal operations.

What should you do?

1. Deploy a DNS-stub zone in each of the branch offices.

2. Enable logon caching on clients in the branch offices.

3. Deploy a read-only domain controller (RODC) configured as a global catalog server in each

office.

<Correct>

4. Configure each branch office as a child domain.

Explanation :

You should deploy a read-only domain controller (RODC) configured as a global catalog server in each office. The RODC will support unlimited user logons between connections with the main office. You can configure the RODC as a global catalog server during promotion to domain controller. When using an RODC in each branch, each branch must be configured as a different site.

Enabling logon caching is not a fully reliable solution. No matter how high you set the logon cache limit, users will be limited to no more than 50 cached logons. Depending on how often the branch office connects to the main office, this could become a problem.

There is no reason to deploy a DNS-stub zone in the branch offices. A DNS-stub zone provides pointers to authoritative DNS servers, but it does nothing to enable local support for logon. It is often useful to deploy a stub zone in a branch office to direct DNS requests to the appropriate DNS server.

You should not configure each branch office as a child domain. This increases the administrative overhead because each of the branch offices must be maintained separately.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure the global catalog.

References :

Windows Server 2008 in Branch Offices Microsoft.com Link: http://www.microsoft.com/windowsserver2008/branch-office.mspx

Cached domain logon information Microsoft Help and Support Link: http://support.microsoft.com/kb/172931

What's New in AD DS Installation and Removal Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e5bf22f7-f617-4820-a6d0-6271e3b80fe4103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-089

Your company's network consists of a single Active Directory forest. All servers on the network are running Windows Server 2008. You install the Active Directory Federation Services (AD FS) server role on a computer named FedSrv. You install Windows SharePoint Services (WSS) on a computer named WSS1. FedSrv and WSS1 are members of a domain in the forest. The network also contains a stand-alone server.

You configure FedSrv to enable users from a partner organization to access a Web application in your network. You want to install the Federation Service Proxy to forward credentials of users and Web applications to the Federation Services server on their behalf.

Where should you install the Federation Service Proxy?

1. Install the Federation Service Proxy on WSS1.

2. Install the Federation Service Proxy on a domain-based computer that does not have AD FS or

WSS installed. <Correct>

3. Install the Federation Service Proxy on FedSrv.

4. Install the Federation Service Proxy on the stand-alone server.

Explanation :

You should install the Federation Service Proxy on a domain-based computer that does not have AD FS or WSS installed. The Federation Service Proxy collects user credentials from browser clients and Web applications and forwards the credentials to the federation service. The Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running WSS. AD FS allows browser-based clients to access protected Internet-facing applications without having to supply additional credentials, even if the user accounts and applications are in different networks or organizations.

You should not install the Federation Service Proxy on FedSrv or WSS1. The Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running WSS.

You should not install the Federation Service Proxy on a stand-alone computer. This will not allow the Federation Service Proxy to collect and forward user credentials to the Federation Service server.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Federation Services (AD FS).

References :

Active Directory Federation Services Overview Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d3103

3.mspx

Step 1: Preinstallation Tasks Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c22103

3.mspx?mfr=true

Phases of Setting Up Windows Server 2008 Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-045

Your company's network includes four domains. Each domain is located at a different site and is managed by a different group of administrators. The file servers in each domain are stored in the FileServers organizational unit (OU).

The company has a set of security policies that must be implemented on all file servers company-wide. These policies include audit policies, restricted groups, and user rights assignments.

You need to implement these security policies.

What should you do?

1. Use Group Policy Editor to create an ADMX file and import it to the central store. Instruct

administrators for each domain to create a Group Policy object (GPO) using the ADMX file and link it to the FileServers OU.

2. Use Group Policy Editor to create an ADM file and import it to the central store. Instruct

administrators for each domain to create a Group Policy object (GPO) using the ADM file and link it to the FileServers OU.

3. Use Security Configuration and Analysis to create a security policy. Instruct administrators

for each domain to create a Group Policy object (GPO), import the security policy, and link it to

the FileServers OU.

4. Use Security Templates to create a security policy. Instruct administrators for each domain

to create a Group Policy object (GPO), import the security policy, and link it to the FileServers

OU. <Correct>

Explanation :

You should perform the following steps:

* Use Security Templates to create a security policy.

* Instruct administrators for each domain to create a GPO, import the security policy, and link it to the FileServers OU.

You can use Security Templates to create a security policy that contains settings for any policy in the Computer Configuration | Security Settings node. Administrators can apply a security policy to a computer or deploy it by importing it to a GPO.

You should not create an ADMX file and store it in the central store. An ADMX file is a file that defines an Administrative Template. An Administrative Template defines settings that can be implemented through GPOs and where they are stored in the Registry. It does not contain values for Security Settings.

You should not create an ADM file and store it in the central store. An ADM file is the legacy format for Administrative Templates. It does not contain values for Security Settings and cannot be stored in the central store.

You should not use Security Configuration and Analysis to create a security policy. Security Configuration and Analysis can import a policy or analyze a system against a policy. It cannot be used to create a security policy.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Configure GPO templates.

Server Security Policy Management in Windows Server 2008 Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/6a85b0ac-2e0a-4a53-9379-b0b314017960103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-032

Your company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2008. A server named DC1 is configured as a domain controller, and a server named DNS1 is configured as a Domain Name System (DNS) server and stores an Active Directory-integrated zone.

The company opens a new branch office at a physically insecure location. You need to provide name resolution services to the users in the branch office without compromising the security of the Active Directory database.

What should you do?

1. Install a read-only domain controller (RODC) in the branch office.

<Correct>

2. Install the DNS role on a member server in the branch office and create a primary zone.

3. Install a writable domain controller in the branch office and create an Active

Directory-integrated zone.

4. Install the DNS role on a standalone computer in the branch office and create a stub zone.

Explanation :

You should install a read-only domain controller (RODC) in the branch office. An RODC is a shadow copy of a domain controller that cannot be directly configured. This makes it less vulnerable to network threats. You can install an RODC in a location that is not physically secure enough for a domain controller. To support RODC in a network, the DNS server running Windows Server 2008 supports a new type of zone called a primary read-only zone or a branch office zone. When a computer becomes an RODC, it receives a full read-only copy of all of the application directory partitions that DNS uses, including the domain partition, ForestDNSZones, and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions.

You should not install the DNS role on a standalone computer in the branch office and create a stub zone. Stub zones contain only those resource records that identify the authoritative DNS servers for that zone. A stub zone does not contain a full read-only copy of zone.

You should not install the DNS role on a member server in the branch office and create a primary zone. A standard primary zone is not a read-only zone and can be modified. A standard primary zone stores the DNS zone information in a .dns text file instead of in Active Directory.

You should not install a writable domain controller in the branch office and create an Active Directory-integrated zone. An Active Directory-integrated zone stores zone data in Active Directory. Active Directory-integrated zones provide name resolution even if a Wide Area Network (WAN) link is temporarily unavailable between domains, as long as each domain has an authoritative DNS server installed on a domain controller. In this scenario, the branch office is located at a physically insecure location. Therefore, installing a writable domain controller in the branch office can compromise the security of the Active Directory database.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure zone transfers and replication.

References :

DNS Server Role Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d103

3.mspx?mfr=true

New features for DNS Microsoft TechNet Link:

http://technet2.microsoft.com/WindowsServer/en/library/f031ac33-23f7-4fb8-9bfc-4947cb9959fb1033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

flm9MS_70-640-023

You used Dsdbutil to create a back up of Active Directory Lightweight Directory Services (AD LDS) to removable media. You need to restore this copy to a server running Microsoft Windows Server 2008 configured with the Active Directory Domain Services (AD DS) and AD LDS roles.

What should you do?

In the list on the right, select the steps necessary to restore the LDS instance. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You may not need to use all of the items from the list on the right.

Explanation :

The steps necessary to restore from a backup made with Dsdbutil are:

Stop the AD LDS service. Copy the instance data using Xcopy. Start the AD LDS service.

You must stop the AD LDS server before copying the instance data. Use Xcopy to copy the data to the LDS data directory The default location of this directory is:

%ProgramFiles%\Microsoft ADAM\<instance_name>\data

Replace <instance_name> with the LDS instance name.

You cannot use Windows Server Backup to restore from a backup created with Dsdbutil.

It is not necessary to stop and later start the AD DS service to restore LDS instance data.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Lightweight Directory Service (AD LDS).

References :

Appendix B: Restore an AD LDS Instance with a Backup Taken with Dsdbutil.exe Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/2294e21c-eede-4dbf-9f29-135b65b2b2c6103

3.mspx?mfr=true

Step 2: Restore AD LDS Instance Data Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/3c586656-271f-4f8e-9f9c-62400e55ce0b103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-053

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. Your network does not currently have a Public Key Infrastructure (PKI).

You plan to implement Internet Protocol Security (IPSec) on the network. You will use certificates for authentication.

You want to deploy certificates using automatic enrollment. Only a single server can be configured to run Certificate Services.

What should you do?

1. Install a standalone issuing certificate authority (CA).

2. Install an Enterprise root certificate authority (CA).

3. Install an Online Responder.

<Correct>

4. Install a standalone root certificate authority (CA).

Explanation :

You should install an Enterprise root CA. Automatic enrollment is configured using certificate templates. Certificate templates are only supported by Enterprise CAs because they depend on Active Directory. Because you are installing only one CA, you must install it as a root CA.

You should not install a standalone root CA. You would install a standalone root CA if you did not have an Active Directory network or if you needed to be able to take the root CA offline. Standalone CAs do not support automatic enrollment on certificate templates.

You should not install an Online Responder. An Online Responder is used to respond to certificate verification requests. It cannot be the only server in a PKI because it must receive a certificate from an enterprise issuing CA.

You should not install a standalone issuing CA. An issuing CA is a CA that issues certificates. However, you cannot install a standalone issuing CA because you need Active Directory to support automatic enrollment.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Install Active Directory Certificate Services.

References :

Active Directory Certificate Services Longhorn Beta3 Certificate Templates Whitepaper Microsoft Downloads Link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&disp

laylang=en

Defining CA Types and Roles Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/1b28424c-8c62-44b6-a24f-8ea06ac5832b1033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-114

Your organization has a single forest environment which includes computers running Windows Server

2003.

You plan to create a new child domain by installing a computer running Windows Server 2008 as a domain controller. You also need to configure the computer as a global catalog server.

What should you install on the Windows Server 2008 computer to create the first Windows Server 2008 domain controller?

1. Active Directory Federation Services (AD FS)

2. Active Directory Lightweight Domain Services (AD LDS)

3. Active Directory Domain Services (AD DS)

<Correct>

4. Active Directory Certificate Services (AD CS)

Explanation :

You should install AD DS on the Windows Server 2008 computer to configure it as the first Windows Server 2008 domain controller. AD DS stores information about objects on the network. After installing the AD DS server role, you should run the Active Directory Domain Services Installation Wizard from the Administrative Tools folder to further promote the server as a fully functional domain controller. When installing and configuring the first Windows Server 2008 domain controller, the Active Directory Domain Services Installation Wizard will also configure the server as a global catalog server.

You should not install AD FS. The AD FS server role provides secured identity federation and Web single sign-on (SSO) capabilities.

You should not install AD CS. The AD CS server role is used to create and manage certification authorities and related components.

You should not install AD LDS. The AD LDS server role provides a store for application-specific data for directory-enabled applications.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure the global catalog.

References :

Scenarios for Installing AD DS Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/708da9f7-aaad-4fa1-bccb-76ea8569da50103

3.mspx?mfr=true

The Process of Installing Domain Controllers Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-026

Your company hires many employees each month. The human resource manager typically gives you a Microsoft Office Excel workbook with the pertinent information about 30 to 40 new employees each month.

You need to minimize the amount of effort required to create user accounts for new employees.

What should you do?

1. Create a user account and disable it. Use the user account as a template.

2. Create a user account. Copy it and rename it for each user.

3. Use the Active Directory Migration Tool to create the user accounts.

4. Create a PowerShell script to import the accounts.

<Correct>

Explanation :

You should create a PowerShell script to import the accounts. Windows Server 2008 includes PowerShell, which is a powerful tool for creating scripts that can be used to perform a large number of tasks, including managing user accounts and importing them from a file.

You should not create a user account, disable it, and then use the user account as a template. Although this procedure would work, it would require much more effort each month than importing the users from the file provided by human resources.

You should not use the Active Directory Migration Tool (ADMT) to create the user accounts. ADMT is used to migrate users between domains, not to import users from a file.

You should not create a user account, copy it, and rename it for each user. While this would work, it would require more effort each month than importing the user accounts from a script.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Automate creation of Active Directory accounts.

Windows PowerShell Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/add493f5-e54b-4033-a6a0-567900d78721103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-028

Your network has four Active Directory domains and four locations. The domain controllers are shown in the exhibit.

All users need frequent access to resources in stayandsleep.com. Users in Atlanta need frequent access to resources in Atlanta, Chicago, and Des Moines. Users in other offices need access only to resources in their own domains and in stayandsleep.com.

You need to configure DNS to allow users to resolve the names of the resources they use most frequently using a local DNS server. Your solution must minimize data transfer across the link between Europe and the United States.

What should you do?

1. Create an Active Directory-Integrated primary zone for each domain. Install DNS on a domain

member on each continent. Configure a secondary zone on those domain members. Configure zone

transfer.

2. Create a standard primary zone for each domain. Install DNS on a domain member on each

continent. Configure a secondary zone on those domain members. Configure zone transfer.

3. Install DNS on all domain controllers and create an Active Directory-Integrated zone for each

domain. Specify All DNS servers in the domain that are domain controllers running Windows Server

2003 or Windows Server 2008 as the replication scope for each zone.

4. Install DNS on all domain controllers and create an Active Directory-Integrated zone for each

domain. Create application directory partitions to meet replication requirements. Specify All

domain controllers in a specified application directory partition as the replication scope for

each zone.

<Correct>

Explanation :

You should perform the following steps:

* Install DNS on all domain controllers and create an Active Directory-Integrated zone for each domain.

* Create application directory partitions to meet replication requirements.

* Specify All domain controllers in a specified application directory partition as the replication scope for each zone.

An Active Directory-Integrated zone is replicated along with other Active Directory data. You can limit the scope of replication by creating application directory partitions to meet replication requirements and selecting All domain controllers in a specified application directory partition as the replication scope.

You should not perform the following steps:

* Install DNS on all domain controllers and create an Active Directory-integrated zone for each

domain.

* Specify All DNS servers in the domain that are domain controllers running Windows Server 2003 or Windows Server 2008 as the replication scope for each zone.

When you specify this option, DNS data is replicated only within the domain. In this example, users in Atlanta would not be able to resolve the names of resources in stayandsleep.com or midwest.stayandsleep.com locally.

You should not use secondary zones. Active Directory replication is more efficient than zone transfer because data is replicated using the replication topology. Therefore, you do not need to separately manage a zone transfer topology. Also, Active Directory replication is more secure than zone transfer. Finally, Active Directory replication allows for incremental replication of only the changes that have occurred.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure zone transfers and replication.

References :

Understanding DNS Zone Replication in Active Directory Domain Services Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e93c32c9-0c5c-4822-9c84-d464658d6ed3103

3.mspx?mfr=true

Understanding Active Directory Domain Services Integration Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/427144ca-37ce-4db7-a611-605338ec01ca103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-022

Your network is configured as a single Active Directory forest with two domains: DomA and DomB. DomA-DC2 is configured as the schema master. DomA-DC2 and DomB-DC2 are configured as infrastructure masters. Denver and New York are both connected to Chicago using a high-speed link. There is no physical connection between Denver and New York. The site topology for the network is shown in the exhibit. The Bridge All Site Links option is not enabled.

An administrator in Denver attempts to install an application. The installation fails with the error "Cannot extend the schema" You realize that the connection between New York and Chicago has failed.

You need to enable the administrator in Denver to install applications that modify the schema even if the link between New York and Chicago goes down.

What should you do?

1. Transfer the schema master role to DomA-DC1.

<Correct>

2. Transfer the infrastructure master role to DomB-DC1.

3. Add the infrastructure master role to DomB-DC1.

4. Add the schema master role to DomB-DC2.

Explanation :

You should transfer the schema master role to DomA-DC1. The problem is occurring because DomB-DC1 cannot access the schema master in New York. By positioning the schema master in the hub site, you make it accessible to all sites.

You should not add the schema master role to DomB-DC2. The schema master role is a forest-wide role and can only be held by one domain controller in the forest.

You should not transfer the infrastructure master role to DomB-DC1. The infrastructure master is

responsible for keeping track of security principals from other domains who are members of groups

in the domain to which the infrastructure master belongs. Being unable to contact the

infrastructure master will not prevent an application from extending the schema.

You should not add the infrastructure master role to DomB-DC1. The infrastructure master role is

a domain-wide role and can only be assigned to one domain controller in the domain.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure operations masters.

Planning Operations Master Role Placement Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e2616396-12e6-4bad-a081-f94c03288710103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-034

Your company's network is implemented as a single Active Directory domain. All domain controllers are running Windows Server 2008.

Your company wants to require users to change their passwords at least every 60 days. A user should not be able to reuse a password within six months.

You need to configure account policies.

What should you do?

1. Set the following policies:

Enforce user logon restrictions = true Maximum password age = 60 Minimum password age = 30

2. Set the following policies:

Enforce password history = 180 Enforce user logon restrictions = true Maximum password age = 60

3. Set the following policies:

Enforce password history = 3

Maximum password age = 60 Minimum password age = 45

4. Set the following policies:

Enforce password history = 6

Maximum password age = 60 Minimum password age = 30 <Correct>

Explanation :

You should set the following policies:

* Enforce password history = 6

* Maximum password age = 60

* Minimum password age = 30

The Enforce password history policy determines the number of passwords that a user must use before recycling a password. The Minimum password age determines the number of days that must pass between password changes. Therefore, setting Enforce password history to 6 and Minimum password age to 30 requires 180 days before a password can be reused. The Maximum password age determines the maximum number of days a password can be used before it is changed.

You should not set the following policies:

* Enforce password history = 3

* Maximum password age = 60

* Minimum password age = 45

These policies would allow a user to reuse a password after 3 * 45 days or 135 days.

You should not set the following policies:

* Enforce user logon restrictions = true

* Maximum password age = 60

* Minimum password age = 30

These policies do not define the Enforce password history policy. Therefore, a password can be reused immediately. The Enforce user logon restrictions policy determines whether the Kerberos Key Distribution Center (KDC) verifies user rights each time a user requests a session ticket. It

does not affect password expiration.

You should not set the following policies:

* Enforce password history = 180

* Enforce user logon restrictions = true

* Maximum password age = 60

The Enforce password history policy defines the number of passwords that must be used before a password can be reused. It must be set to a value between 0 and 24.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Configure account policies.

Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1 Microsoft Downloads Link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2043b94e-66cd-4b91-9e0f-68363245c495&Disp

layLang=en

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-091

You have deployed Windows Server 2008 on all servers in the organization. You recently installed the Windows Server Backup feature by using Server Manager on a Windows Server 2008 server.

You need to set up and run scheduled backups that back up the full server to external disks at 9:00 P.M. You have connected an external disk to the server that supports universal serial bus (USB) 2.0.

What should you do?

In the list on the right, select the tasks that you should perform to set up a scheduled backup. Place the tasks in the order in which you should perform them. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. Place the first task that you should perform at the top of the list. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :

You should perform the following steps to set up and run scheduled backups for the full server to external disks:

* Select Backup Schedule from the Actions pane in the Windows Server Backup snap-in. This will

start the Backup Schedule Wizard on Windows Server 2008, which allows you to schedule a backup

for one time or multiple times. Once the backup schedule is in place, backups will run automatically at the scheduled time. By default, the backup is scheduled to run at 9:00 P.M. each day.

* Click Next on the Getting Started page in the Backup Schedule Wizard. This page provides

general information on how to use the Wizard to schedule backups.

* Select the recommended option on the Select backup type page and click Next. This page allows you to select the type of backup that you are scheduling. By default, Full Server backup is selected. This is also a recommended type of backup when you are using the Backup Schedule Wizard. Full server backup allows recovery of the operating system state, as well as files, folders, and application data by creating snapshots of the full server at specific intervals.

* Select the default on the Specify backup time page and click Next. The Specify backup time

page allows you to choose how often you want to perform backups and at what time. By default, the Once a day option is selected under How often do you want to run backups? and 9:00 P.M. is selected in the Select time of day drop-down box.

* Select the external disk on the Specify target disk page, and then click Next. The Specify

target disk page allows you to choose where to save the backup. Once the decision is made about what data should be backed up, the next step is to determine where to store the backup. Options for storage include external or internal hard drives, CDs, DVDs, or USB flash drives.

You should not select the Custom option on the Select backup type page and click Next. This option should be selected when you want to back up only selected volumes, or if you want to exclude some volumes from scheduled backups.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Configure backup and recovery.

References :

Windows Server 2008 Backup and Recovery Step-by-Step Guide Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/00162c92-a834-43f9-9e8a-71aeb25fa4ad103

3.mspx

How To Back Up AD DCs Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-086

All servers on your company's network run Windows Server 2008. A server named DC1 has Active Directory Domain Services (AD DS) installed. You have configured a scheduled backup to be performed every day on DC1.

Some users report that searching for resources in the Active Directory takes a considerable amount of time. To resolve this problem, you need to perform an offline defragmentation of the Active Directory database.

Which steps should you perform to achieve the desired goal?

In the list on the right, select the correct steps. Place your selections in the list on the left in the order in which they should be performed. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :

You should perform the following steps to perform an offline defragmentation of AD DS in Windows Server 2008:

* Stop the Active Directory Domain Services (AD DS) service.

* Run the Compact to command at the Ntdsutil file maintenance prompt.

* Delete all the log files in the log directory.

* Copy the compacted Ntds.dit file to the original location.

* Run the Integrity command at the Ntdsutil file maintenance prompt.

* Restart the AD DS service.

When you perform offline defragmentation of the directory database file, a new compacted version of the database file is created in a different location. In Windows Server 2008, you can perform offline defragmentation of the AD DS directory database by stopping the AD DS service, performing the offline defragmentation, and starting the AD DS service. To perform an offline defragmentation of the AD DS database, you should first stop the AD DS service. You should run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command. If defragmentation completes successfully, you should delete all of the log files in the log directory. You should then manually copy the compacted database file to its original location. After copying the compacted Ntds.dit file to its original location, you should perform the integrity check on the database. If the integrity check succeeds, you should restart the AD DS service.

You should not restart the server in Directory Services Restore Mode because it is not required in Windows Server 2008. The Restartable AD DS feature in Windows Server 2008 allows you to perform an offline defragmentation of the AD DS database without restarting the domain controller in Directory Services Restore Mode.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Perform offline maintenance.

References :

Compact the directory database file (offline defragmentation) Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.ms

px?mfr=true

Windows Server 2008 Restartable AD DS Step-by-Step Guide Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a68710103

3.mspx?mfr=true

What Are Restartable AD DS?

Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit9MS_70-640-092

You have deployed Windows Server 2008 on all servers in your organization. Your organization has purchased a new computer to support File Services. Another Windows Server 2008 server exists in the organization that has File Services installed on it.

You need to perform a full system backup and then decommission the existing server before installing File Services on the new server.

In the list on the right, select the steps that you should take to perform a full system backup. Place your selections in the list on the left in the order in which you should perform them, and place the first step that you should take at the top of the list. Place your selections in the list on the left by clicking the items in the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may not need to use all of the items from the list on the right.

Explanation :

You should take the following steps to perform a full system backup:

* Select Backup once from the Actions pane in the Windows Server Backup snap-in. You should

click the Backup once link in the Actions pane to start the Backup Once Wizard to perform a full

system backup.

* On the Backup options page, choose Different options and then click Next. When creating a

backup by using the Backup Once Wizard, you should select Different options; this will allow you

to choose the items to back up and the location to store the backup items.

* Select the recommended option on the Select items page and click Next. The Select items page

allows you to choose the type of backup, such as Full Server or Custom, that you want to perform. By default, the Full server (recommended) option is selected.

* Select Local drives on the Specify location type page, and then click Next. You should select

the Local drives option to store the backup in the local disk or on the DVD drive. You can also

select Remote shared folder when choosing the type of storage for the backup.

You should not select Backup Schedule from the Actions pane in the Windows Server Backup snap-in, because this will schedule the backup for a later time in the day. As mentioned in the scenario, you need to perform a full system backup and then decommission the server immediately after the backup is finished. Therefore, you should run the Backup Once Wizard to perform a full system backup.

You should not click Next on the Getting Started page in the Backup Schedule Wizard, because this page is only available when running the Backup Schedule Wizard. In this scenario, you should run the Backup Once Wizard to perform a full system backup, because you need to decommission the server immediately after the backup is finished.

You should not select the recommended option on the Select backup type page and click Next, because this page is only available when running the Backup Schedule Wizard, In this scenario, you should run the Backup Once Wizard to perform a full system backup, because you need to decommission the server immediately after the backup is finished.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Configure backup and recovery.

References :

Windows Server 2008 Backup and Recovery Step-by-Step Guide Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/00162c92-a834-43f9-9e8a-71aeb25fa4ad103

3.mspx

How To Back Up AD DCs Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-020

Your company's network consists of a single Active Directory domain. All domain controllers are running Microsoft Windows Server 2008. Client computers are running Windows XP Professional.

The company has recently acquired a subsidiary company. You need to create user accounts within your company's existing domain for all users from the subsidiary. You have a comma separated value (CSV) file that contains all the names of all user accounts that need to be added.

You need to import the user accounts into the domain.

Which command should you use?

1. <Correct>

csvde

2. ADSI Edit

3. dsadd

4. ldifde

Explanation :

You should use csvde to import the accounts into Active Directory. Csvde is used to import and export data that is stored in comma separated value (CSV) format. You can also perform batch operations such as adding new users and updating properties by using the CSV file. For example, you can create multiple user accounts in a single batch operation.

You should not use dsadd. Dsadd is a command line tool used to create objects, such as computer accounts, in Active Directory. However, it can not be used to import accounts into Active Directory.

You should not use ldifde. Ldifde is used to create, modify, and delete directory objects. It can also be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services. However, it cannot be used to import data from a CSV file into Active Directory.

You should not use ADSI Edit. This tool is used to manage objects and attributes in Active Directory Domain Services. You can use ADSI to perform such functions as querying, viewing, and editing attributes. However, it cannot be used to import data into Active Directory.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Automate creation of Active Directory accounts.

References :

Csvde Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver2008/en/library/bd5e4f88-c30a-47a8-b3d2-026e4497275c103

3.mspx?mfr=true

Dsadd group Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/4b547a24-3132-4b92-9812-7de9766005cc103

3.mspx?mfr=true

Ldifde Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/8fe5b815-f89d-48c0-8b2c-a9cd1d698652103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-082

Your company's network consists of a single Active Directory domain. You perform the Server Core installation of Windows Server 2008 on a computer named Server1. A volume named ConfVol on Server1 contains confidential files that are accessed by managers of the company.

One day, a manager reports that he is unable to access the ConfVol volume on Server1. You investigate and discover that the volume has become corrupt.

You need to restore the ConfVol volume from a backup.

Which command should you run?

1. Wbadmin start recovery

<Correct>

2. Wbadmin start sysstaterecovery

3. Wbadmin restore catalog

4. Wbadmin start sysrecovery

Explanation :

You should run the Wbadmin start recovery command. Wbadmin.exe is a command-line tool that allows you to perform backup and restore operations on your computer, volume, and files. The Wbadmin start recovery command is used to perform a recovery of the specified volumes, applications, or files and folders. The -itemtype parameter specifies the type of items to recover. The value for this parameter must be one of the following: Volume, App, or File. The -backupTarget parameter specifies the location of the backup that you want to recover.

You should not run the Wbadmin start sysrecovery command. This command is used to perform a full system recovery. In this scenario, you want to restore only a volume.

You should not run the Wbadmin start sysstaterecovery command. The Wbadmin start sysstaterecovery command is used to perform a system state recovery of a Windows Server 2008 computer. In this scenario, you want to restore only a volume.

You should not run the Wbadmin restore catalog command. The Wbadmin restore catalog command is used to recover a catalog that has been corrupted. Running this command is useful if recovery from the backup catalog is not possible. The Wbadmin restore catalog command cannot be used to recover a corrupted volume.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Configure backup and recovery.

References :

Wbadmin start recovery Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/52381316-a0fa-459f-b6a6-01e31fb21612103

3.mspx?mfr=true

Wbadmin Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/4b0b3f32-d21f-4861-84bb-b2eadbf1e7b8103

3.mspx?mfr=true

Backup Command Reference Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/03de0a65-21f0-4dd7-a3ae-251c98bbf6eb103

The Process of Recovering AD DC Data Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-079

Your company's network consists of a single Active Directory forest. The network contains an Active Directory Federation Services (AD FS) server and a Windows SharePoint Services server. The network also contains a stand-alone computer that runs Windows Server 2008. The AD FS server allows users from a partner organization to access a Web application in your network. You install Windows Server 2008 on a server named Server1 in the perimeter network.

You want to install the Federation Service Proxy to forward credentials of users and Web applications to the Federation Services server on their behalf.

What should you do?

1. Install the Federation Service Proxy on the stand-alone computer.

2. Install the Federation Service Proxy on the AD FS server.

3. Install the Federation Service Proxy on the Windows SharePoint Services server.

4. Install the Federation Service Proxy on Server1 in the perimeter network.

<Correct>

Explanation :

You should install the Federation Service Proxy on a computer that does not have AD FS or Windows SharePoint Services installed. In this scenario, Server1 does not have AD FS or Windows SharePoint Services installed. Therefore, you can install the Federation Service Proxy on Server1 in the perimeter network to achieve the desired goal. The Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running Windows SharePoint Services.

You should not install the Federation Service Proxy on the AD FS server or the Windows SharePoint Services server because the Federation Service and Federation Service Proxy cannot be installed on the same computer or on a computer that is running Windows SharePoint Services.

You should not install the Federation Service Proxy on a stand-alone computer because installing the Federation Service Proxy on a stand-alone computer will not allow the Federation Service Proxy to collect and forward domain users' credentials to the Federation Service server.

Objective:

Configuring Additional Active Directory Server Roles

Sub Objective(s):

Configure Active Directory Federation Services (AD FS).

References :

Active Directory Federation Services Overview Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/ff50a7ff-156b-4589-a77c-38dda91571d3103

3.mspx

Step 1: Preinstallation Tasks Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c22103

3.mspx?mfr=true

How To Install Server Roles and Server Features Course 6042

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-014

The network you manage has the five domains shown in the exhibit. Users in dev.eu.stayandsleep.com frequently access files on file servers in dev.corp.stayandsleep.com.

You need to optimize performance for users in dev.eu.stayandsleep.com when accessing files in dev.corp.stayandsleep.com.

What should you do?

1. Create a shortcut trust in which dev.corp.stayandsleep.com trusts

dev.eu.stayandsleep.com.

<Correct>

2. Create a two-way external trust between dev.eu.stayandsleep.com and dev.corp.stayandsleep.com.

3. Create a shortcut trust in which dev.eu.stayandsleep.com trusts dev.corp.stayandsleep.com.

4. Create a forest trust and enable selective authentication.

Explanation :

You should create a shortcut trust in which dev.corp.stayandsleep.com trusts dev.eu.stayandsleep.com. A shortcut trust is used to shorten the authentication path when users in one child domain need frequent access to resources in another child domain. The trusting domain is the one in which the resources are located.

You should not create a shortcut trust in which dev.eu.stayandsleep.com trusts dev.corp.stayandsleep.com. The trusting domain is the one in which the resources are located.

You should not create a two-way external trust between dev.eu.stayandsleep.com and dev.corp.stayandsleep.com. An external trust is used to allow access to or from a Windows NT 4.0 domain or when you cannot use a forest trust. An external trust is not used between domains in the same forest.

You should not create a forest trust and enable selective authentication on it. A forest trust is used between two Active Directory forests, not within the same forest. Selective authentication is used to limit the access to specific users in different forests.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure trusts.

Understanding When to Create a Shortcut Trust Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/6d35ab81-0b60-4425-8c95-46f676d1ea69103

3.mspx?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-024

Your network includes the domain controllers shown in the exhibit.

DC1 experiences a hardware failure that makes it inaccessible. It will take several days to repair it, and it will need to have the operating system reinstalled.

You need to recover the operations master roles.

What should you do?

1. Transfer the schema master role to DC3. Transfer the infrastructure master role to DC2.

2. Seize the schema master role to DC4.

3. Seize the schema master role and the infrastructure master role to DC2.

<Correct>

4. Transfer the schema master role to DC2. Transfer the infrastructure master role to DC4.

Explanation :

You should seize the schema master role and the infrastructure master role to DC2. The schema master role is a forest-wide role that must be on a domain controller in the root domain. The infrastructure master role is a domain-wide role. Therefore, it must be on a domain controller in the same domain. Because DC1 is inaccessible, you must seize the roles. You should only seize roles when absolutely necessary because the existing operations master is inaccessible and will not be brought back online. In addition, you should seize a role on the domain controller that is most synchronized with the failed operations master. Seizing a role on a domain controller that is not synchronized could cause problems. For example, if the schema has not been updated, applications that use modifications to the schema could fail to operate correctly. If the infrastructure master role is seized to a computer that does not have the latest changes, problems due to accounts that have been moved or renamed could occur. You should run repladmin to ensure the target domain controller is as up to date as possible before seizing a role.

You cannot transfer the roles because DC1 is inaccessible. You can only transfer roles if you can access the domain controller that currently holds the roles.

You should not seize the schema master role to DC4. You should always seize a role with a direct replication partner if possible. Also, the schema master role must be held by a domain controller in the root domain.

Objective:

Configuring the Active Directory Infrastructure

Sub Objective(s):

Configure operations masters.

References :

Planning Operations Master Role Placement Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e2616396-12e6-4bad-a081-f94c03288710103

3.mspx?mfr=true

Seize operations master roles Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/33d25c21-ae42-422c-be18-d3e706e4b45e1033.ms

px?mfr=true

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-031

Your company has three domains: stayandsleep.com, nw.stayandsleep.com, and mw.stayandsleep.com. All user accounts are created in either nw.stayandsleep.com or mw.stayandsleep.com. Users must be able to log on using username@stayandsleep.com.

You are creating a script that will add users to nw.stayandsleep.com.

What command should you use?

1. dsadd user cn=username,cn=nw,dc=stayandsleep,dc=com -disabled no

2. dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -upn username@stayndsleep.com

-disabled no

<Correct>

3. dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -samID username@stayndsleep.com

-disabled no

4.

dsadd user cn=username,dc=nw,dc=stayandsleep,dc=com -email username@stayndsleep.com -disabled

no

Explanation :

You should use the following command:

dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -upn username@stayndsleep.com -disabled no

You must provide the distinguished name of the user. The distinguished name includes two common name (cn) elements, the username and the container in which the user should be created. It also includes a domain component (dc) for each name in the fully-qualified domain name of the domain. To meet the requirement that the user can log in using username@stayandsleep.com, you must specify a user principal name (UPN) of username@stayandsleep.com.

You should not use the following command:

dsadd user cn=username,cn=nw,dc=stayandsleep,dc=com -disabled no

This command would create a user in the nw container of the stayandsleep.com domain.

You should not use the following command:

dsadd user cn=username,dc=nw,dc=stayandsleep,dc=com -email username@stayndsleep.com -disabled no

This command does not specify a container. Also, you do not specify a login name by specifying an e-mail address.

You should not use the following command:

dsadd user cn=username,cn=users,dc=nw,dc=stayandsleep,dc=com -samID username@stayndsleep.com -disabled no

The samID attribute is used to set the name of the Security Account Manager (SAM) account, which is the username.

Objective:

Creating and Maintaining Active Directory Objects

Sub Objective(s):

Automate creation of Active Directory accounts.

Dsadd user Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/9e274947-2dec-4448-a822-8dd2f688fcec103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

rrMS_70-640-008

You manage a network that includes the DNS servers shown in the exhibit. DNS-AD1 and DNS-AD2 are configured to forward requests for Internet addresses to DNS-Ext. DNS-Ext is not configured with a forwarder.

You need to configure the DNS servers to help mitigate the risk of a denial of service attack.

What should you do?

1. Disable recursion on DNS-AD1 and DNS-AD2.

2. Delete the Internet servers from root hints on DNS-Ext.

3. Disable recursion on DNS-Ext.

<Correct>

4. Delete the Internet servers from root hints on DNS-AD1 and DNS-AD2.

Explanation :

You should disable recursion on DNS-Ext. DNS-Ext is not configured as a forwarder. Therefore, it can use iterative requests to query the Internet root servers for name resolution. Disabling recursion when it is not needed can help prevent denial of service attacks.

You should not disable recursion on DNS-AD1 and DNS-AD2. When a DNS server uses a forwarder, it sends a recursive query to that forwarder. Therefore, if you disable recursion on DNS-AD1 and DNS-AD2, you will prevent them from being able to send queries for Internet resources to DNS-Ext.

You should not delete the Internet servers from root hints on DNS-AD1 and DNS-AD2. You can delete the Internet servers from root hints to prevent DNS-AD1 and DNS-AD2 from sending data directly to servers on the Internet. However, doing so will not mitigate the risk of a denial of service attack.

You should not delete the Internet servers from root hints on DNS-Ext. DNS-Ext needs root hints to locate Internet root servers and send iterative requests to them. Therefore, if you delete the Internet root servers, DNS-Ext will not be able to function.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure DNS server settings.

References :

Securing the DNS Server Service Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/9f93a319-4e77-4c17-ad4a-10e3ea9847f1103

3.mspx?mfr=true

Understanding Forwarders Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/WindowsServer2008/en/library/52ec32f6-5eda-4d6a-8e38-809fee243b71103

3.mspx

Using Forwarders Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/e2dd91d6-441f-4175-9d1d-d152d148d73c103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

dhMS_70-640-019

Your company's network consists of 10 Microsoft Windows Server 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain. A Public Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. Users are required to enroll for a User certificate using Web enrollment.

Users are reporting that the response time is very slow when accessing servers that host financial data. Certificate authentication is required to access these servers. You discover that the network is extremely busy and network bandwidth is reaching capacity.

You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on the network.

What should you do?

1. Open the Certificate Templates snap-in and configure auto-enrollment instead of Web-based

enrollment.

2. Open Active Directory Sites and Services. Deny users the Enroll permission on all templates

except the User template.

3. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate

Revocation List (CRL). <Correct>

4. Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL)

publication interval.

Explanation :

You should use the Certificate Authority snap-in to configure the CA to use a Delta CRL. Delta CRLs only replicate the new revocations to each CRL distribution point. Using a Delta CRL means a smaller file and therefore, less network traffic.

You should not decrease the Certificate Revocation List publication interval. The publication interval determines the frequency that the CRL is published. By decreasing the interval, the CRL will be published more frequently and increase network traffic.

You should not deny users the Enroll permission on all templates except the User template. Denying users access to certificate templates increases security so you can control the types of certificates users can request. It does not however, reduce network traffic.

You should not change the method used for certificate enrollment. Traffic will be generated when users first enroll for certificates. However, once users are issued a certificate, they do not need to generate an additional request. Changing the method used for certificate enrollment will not reduce network traffic on an on-going basis.

Objective:

Configuring Active Directory Certificate Services

Sub Objective(s):

Configure CA server settings.

Configuring Certificate Revocation Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083-8606-c0a4fdca9a25103

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-087

Your company's network contains servers that run Windows Server 2008. You install Active Directory Domain Services (AD DS) on a server named DC1.

You are in the process of performing an offline defragmentation of AD DS database on DC1. You run the Compact to command at the Ntdsutil file maintenance prompt to compact the AD DS database file.

What should you do next?

1. Delete all of the log files in the log directory. <Correct>

2. Copy the compacted database to the %SystemRoot%\Windows\NTDS folder.

3. Copy the compacted database to the %SystemRoot%\Windows\SYSVOL folder.

4. Run the Integrity command at the Ntdsutil file maintenance prompt.

Explanation :

You should delete all of the log files in the log directory. To perform an offline defragmentation of the AD DS database, you must be a member of the local Administrators group on the domain controller. To perform the offline defragmentation of the AD DS database, you should first stop the AD DS service. You should then perform the following steps to perform offline defragmentation of the AD DS database:

* Run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command.

* Delete all of the log files in the log directory.

* Manually copy the compacted database file to its original location.

* Perform the integrity check on the database.

* Restart the AD DS service.

You should not copy the compacted database to the %SystemRoot%\Windows\NTDS folder. This step is performed after deleting all of the log files from the log directory.

You should not copy the compacted database to the %SystemRoot%\Windows\SYSVOL folder. The AD DS database file must be copied to its default location, which is the %SystemRoot%\Windows\NTDS folder.

You should not run the Integrity command at the Ntdsutil file maintenance prompt. This step is performed after copying the compacted database to the %SystemRoot%\Windows\NTDS folder.

Objective:

Maintaining the Active Directory Environment

Sub Objective(s):

Perform offline maintenance.

References :

Compact the directory database file (offline defragmentation) Microsoft TechNet Link:

http://technet2.microsoft.com/windowsserver/en/library/5dd6f9eb-0533-4474-ac52-dca78c5471dd1033.ms

px?mfr=true

Windows Server 2008 Restartable AD DS Step-by-Step Guide Windows Server 2008 Technical Library Link:

http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a68710103

3.mspx?mfr=true

What Are Restartable AD DS? Course 6043

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring

Question ID :

niit8MS_70-640-029

Your company has a main office and five branch offices. You configure each office to have its own Active Directory domain in the same forest. All servers on the network run Windows Server 2008. The computers on the network are configured to use Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).

To ensure that the host names of important servers on the network remain unique throughout all domains in the forest, you decide to configure the GlobalNames zone.

Which type of zone should you use?

1. Stub zone

2. Active Directory-integrated zone

<Correct>

3. Standard secondary zone

4. Standard primary zone

Explanation :

You should use an Active Directory-integrated zone. The GlobalNames zone provides single-name resolution for networks that do not contain a WINS server. To ensure that the GlobalNames zone provides single-name resolution, all authoritative DNS servers must be running Windows Server 2008. When you want to support deployment of the GlobalNames zone across multiple domains and forests, the GlobalNames zone must be integrated with AD DS.

You should not use a standard primary zone. A standard primary zone stores the DNS zone information in a .dns text file instead of in Active Directory.

You should not use a standard secondary zone. A standard secondary zone obtains zone information from its master DNS server. A master DNS server can be an Active Directory, primary, or secondary zone that is configured for zone transfers. The data stored in a secondary zone cannot be modified.

You should not use a stub zone. A stub zone contains only resource records for the authoritative DNS servers for that zone. A stub zone is generally used to resolve the host names between separate DNS namespaces.

Objective:

Configuring Domain Name System (DNS) for Active Directory

Sub Objective(s):

Configure zones.